[Home]Hide source

HomePage | RecentChanges | Preferences | Newbie Help

You can't hide the source on an HTML page. The browser has to see the source in order to display the page. If the browser sees the source, so can a human being. JavaScript routines that are supposed to disable right-click and browser menu functions to prevent viewing the source code are easily defeated. To keep information from being viewed, don't put it on a web page in the first place.

Froggie's Law: If you think you have to hide your source, it's a sure bet you have nothing worth hiding.


If you don't believe us, see http://www.vortex-webdesign.com/help/hidesource.htm


Interesting article on this topic at evolt, explaining why disabling user interface is usually a "bad thing": http://evolt.org/article/Leave_that_mouse_alone/17/719/index.html - Steph


Brucie says:

why people laugh and throw rocks at people who use them:
http://www.htmlhelp.com/faq/html/all.html#hide-source
http://www.htmlhelp.com/faq/html/all.html#media-nosave

Not-brucie says: Another script, with tutorial

http://potentproducts.com/resources/tools/index.html

And one which works pretty well: http://webreference.com/dhtml/diner/contextmenu/

Tutorial, with warning, even -- http://javascript.internet.com/page-details/no-right-click.html

MindProbe HTML and Java glossary entry -- http://mindprod.com/unmain.html


Discussion


For external JavaScript files --

Assertion -- if the page is written dynamically via an external javascript the source will not be viewable. Furthermore, if the page is written in XML, view source in IE will only show the the four lines of javascript which are used to make the transformations.

Rebuttal -- type this into the location bar, or add it to your links bar whilst on the page to view-source... (no newlines of course.)

 javascript:str=window.open('','source');str.document.write('<TEXTAREA%20rows=30%20cols=72>'+document.body.outerHTML+'</TEXTAREA>');void(0) 

-- Jim Ley On Wed, 04 Apr 2001 08:38:55 GMT, alt.html


For HTML jumbled into JavaScript files -- as in www.htmlhide.com

The program obfuscates the source by jumbling it up. It then puts it all into a bunch of javascript functions. The HTML page calls a function that unjumbles the code and puts it in a variable called wer. Then document.write(wer) is used to build the document. If you turn javascript off then you see nothing.

The way to do it is to steal the HTML page and the javascript file.

Then, at the bottom of the HTML page add these two lines of HTML:

 <textarea rows="50" id=source cols="100"></textarea> <script language="javascript">source.innerText = wer;</script> 

Voila, you have the source code neatly inside a textarea. Here, I cut and pasted a bit of it for you: (exceprt duly posted...)

-- Richard Formby on alt.html, 15 Jun 2001 03:32:09 GMT

Jerry Muelver -- Richard, how does it work on Protware's HTML Guardian at http://www.protware.com/demo.htm.... Whoops, never mind. Isofarro says just put javascript:alert(s5); in the location bar while viewing the page, and all will be revealed! And sure enough, it works. Iso adds that "http://www.protware.com/demo2.htm the password is protware (just looking at the source). After that the source is quite viewable and extractable." How embarrassing for ProtWare.

Isofarro -- The Protware site works the same as Richard's explanation above, except that the decoding routine itself is "scrambled" by converting every character of the original script to its ASCII code equivalent (%xx). This is eval(unescape()) into the page, and that in turn takes the variable that stores the body and unscrambles that.

Their encoding is a simple format. All the odd-indexed characters are stored first, followed by the even-indexed characters, so "Hello World" is stored as "el WrdHlool".


XML/XSL/JavaScript solution by Bill Platt on his home page


Another solution: Use Atrise HTMLock (http://www.atrise.com/htmlock/) This program uses encryption for page source hiding. This solution works in just a few mouse clicks, but it is a commercial software.

This is an example of such page: http://www.atrise.com/htmlock/lockedsrc.html

 <TD align=middle colSpan=3><INPUT size=30 name=p> <INPUT type=submit value=Search> <A href="http://www.yahoo.com/r/so">advanced  search</A></TD></TR></TBODY></TABLE> <TABLE cellSpacing=0 cellPadding=3 width=640 border=0> <TBODY> <TR> <TD noWrap align=middle><SMALL>Shop  <A  href="http://www.yahoo.com/r/a2">Auctions</A>  <A  href="http://www.yahoo.com/r/cf">Classifieds</A>  <A  href="http://www.yahoo.com/r/sh">Shopping</A>   


Protecting the source is not really necessary; the expensive thing on a website is the content. Here is the ultimate tool to protect your content: [Kenny Translator]. This will completely garble your text and make it unusable for thieves. Matthias Gutfeldt



I'm trying to see the source of http://www.mahoganys.com/mah_tut_index.html and cannot. I'm fairly certain it's encoded with Atrise HTMLock but can't get past being unable to copy any part of the text to paste it into Namo in which I usually do for pages encoded with HTMLock. Can anyone tell me how to do this? Thanks.

This relies on the fact that there is no textarea within the code. It works in IE5. Displays the code with no line breaks in NC4.6.


Here's one: http://www.topsites.co.uk/test2/lookatme.asp How to retrieve the script that writes the alert(s)? --- Here's the "secret" piece of code from "http://www.topsites.co.uk/test2/lookatme.asp":

function whoAmI(){alert("This is an alert box");alert("Find my code")}

How to find it? Just empty you web page cache, go to the page, look in you cache folder for some plain text file. Open it in an editor. Look at the code.

Or simply use IE to save as webpage and look in the _files directory at js.js

To see the method, type javascript:alert(whoAmI) into the location bar


Here's a page that uses javascript to disable the ability to copy and paste, and the source is encrypted: http://prestigiousdames.com/char/57_chevy The encrypting function appears to be in the ascii encoded part at the end of the source, but I can only decrypt it partially. Can anyone get through this and explain how they did it?

There's no need to decrypt anything yourself. Just use the bookmarklet "generated source" found on this page: http://www.squarefree.com/bookmarklets/webdevel.html.


I have found this little challenge http://www.lol.dk/lol/jscript/quest

After several hours and 4-5 different browsers I haven't succede yet - anybody ??


The above example (quest) is done using an external Javascript file, which is generated through server scripting. By checking the HTTP_REFERRER variable in the generation of the Javascript-file, you can't get the correct JavaScript out through the browser.


Ohh yes it can.. sadley :( .. still working on improving it ;)

 - chris@jubii.dk | http://www.lol.dk


easy.

oliver.


OK, not to beat a dead horse... but what I want to know how to do is displayed on this very page.... how do you grey-out (disable) the browsers "EDIT SOURCE" button on the toolbar. I am assuming it is server-side coding... but where could I find an example of how to set it up??


In response to lol.dk:

				// just kidding its here and all :)
				// Anyway good work.
				// im correntley working on a real hacker test but you will have to check back in a month or so to find that :)
				alert("heh try grapping this js code ;) heh and the text along width it....")

bgbuck7


i'm a newbie here. i looked at www.mophun.com. the right click is still enabled, but once you click "view source" it shows nothing. and when you tried to "save as" the page, it'll show an error: "this page cannot be saved" at the end of the progress. anyone can tell me how to do this trick? -nin-

I got the full source in NotePad when I clicked "View Source". Haqve you tried some of the techniques described here? -- Jerry


HomePage | RecentChanges | Preferences | Newbie Help
This page is read-only | View other revisions
Last edited July 29, 2003 8:51 pm (diff)
Search:

This FAQ is happily hosted by Betadome Digital Media