-4

I know that question is a little stupid. But i have next problem: I do obfuscation of my HTML code by http://myobfuscate.com/ , as you can see this site do like this: he creat varriables and put on it JS code. Here is code like this:

var lOOL = 'document.write()';

than it print on page by eval(). So if i want to inset this code on AJAX success function:

jQuery('#asd').html(data)

I have problem. What i can doo to solve it ? P.S. in my backend i have next code:

echo '<script id="crypt_data" language="javascript" type="text/javascript"> '.$obfuscatedcode.'</script>';

all my JS code which i have after use library oF http://myobfuscate.com/

i have at $obfuscatedcode thanks.

Boris Kuzevanov
  • 1,232
  • 1
  • 12
  • 21
  • i tryed to replace eval() like this `$obfuscatedcode = preg_replace("/eval\((\S*)\)/", 'eval($1.replace("document.write","$el.html"))', $obfuscatedcode);` but it doesnt work..on firebug i've error: ReferenceError: $el is not defined – Boris Kuzevanov Nov 05 '13 at 07:59
  • Just out of curiosity: why are you obfuscating JS & HTML? The obfuscator produces both the obfuscated version as well as the code to de-obfuscate it and both end up on the client. – Cristian Lupascu Nov 05 '13 at 08:01
  • Is this really worth it? The 'obfuscated' HTML can be read through browser inspector tools anyway – JAL Nov 05 '13 at 08:02
  • i do obfuscation only of my html code. – Boris Kuzevanov Nov 05 '13 at 08:02

4 Answers4

0

In general you should minizmize the javascript in static files on the server one time only. Also I suggest you don't use any code from myobfuscate.com as it has really poor reputation on Web Of Trust and is blacklisted by AV providers.

Hugo Tunius
  • 2,869
  • 24
  • 32
  • do you have some variants of obfuscation ? – Boris Kuzevanov Nov 05 '13 at 08:04
  • Use a tootle like google's closure compiler to minify your code. This question talks about it http://stackoverflow.com/questions/2030671/google-closure-minifier-online . Because it is a command line tool you can incorporate in your build/deployment process. I suspect you are generating dynamic javascript from PHP though? You shouldn't do this, instead rewrite your javascript to be static and insert dynamic calls from PHP. As for your HTMl as @JAL said obfuscating HTML is a fruitless endeavour. – Hugo Tunius Nov 05 '13 at 08:09
  • on my backend i get my data from DB. Than i do HTML on loops and than i do obfuscation of this HTML – Boris Kuzevanov Nov 05 '13 at 08:14
  • Still you should not try to obfuscate HTML, it will not stop anyone from reading the source. It will just end up wasting CPU cycles on your server which is completely unnecessary. It's possible to **minimize** the HTML to reduce the size of the page, but trying to hide the HTML by obfuscating it is not a good idea and will not stop anyone who want's to read your source. – Hugo Tunius Nov 05 '13 at 08:55
0

you may use append function of jquery. jquery append

$('#asd').append( "<p>put your html here</p>" );
Adil Abbasi
  • 3,161
  • 1
  • 40
  • 35
0
document.getElementById("yourdiv").innerHTML = "Your Message";
Orbay Yeşil
  • 27
  • 4
-1

To do this you need to change the code provided by http://myobfuscate.com/.

  1. Replace the eval function with a your function. I used newEval in the example below.

  2. Create a new function to replace eval. add this code to it.

    function newEval(code, target) { code = code.replace(/document.write(/, "myWrite('" + target + "',"); eval(code); }

  3. Make another function named myWrite, which will receive the the target as first argument and the second argument will be your deobfuscated code which you can then use with jquery to put the code into required html section.

Balwant Singh
  • 287
  • 5
  • 14
  • Can you write more detally ? – Boris Kuzevanov Nov 05 '13 at 08:29
  • the code you get from the site has eval function called in the end. replcae that with the newEval like `newEval(O10(O1l(IOO)));` create the newEval function as explained in step2 and in the myWrite function, use a code like `$(target).html(code);` – Balwant Singh Nov 05 '13 at 08:34
  • it must be like this afterr replace i will have : newEval(O10(O1l(IOO))); than i doo this code: function newEval(code) { $('#sadsa').html(code); } yes ? – Boris Kuzevanov Nov 05 '13 at 08:39
  • no no. There are 2 functions. 1. newEval - It replaces your eval. 2, myWrite - this replaces your document.write function. newEval has to be same what I gave you. in myWrite function you can have the code of your wish. and I would suggest you to use the passed selector and not hardcode it. – Balwant Singh Nov 05 '13 at 08:49
  • You should not do this, the use of eval is neither recommended nor is it optimal. Find a solution were you do not have to generate dynamic javascript, this will become a security issue for you. – Hugo Tunius Nov 05 '13 at 08:56
  • so in FN myWrite i do this: MyWrite(code) { code = code.replace(/document.write(/, "myWrite('" + target + "',"); eval(code); } Yes? Now how i can to use it on success function on my ajax ? – Boris Kuzevanov Nov 05 '13 at 08:57
  • Hugo T But i need to ubfuscate my HTML. I have no ideas – Boris Kuzevanov Nov 05 '13 at 08:58
  • Boris why do you need to obfuscate your HTML? – Hugo Tunius Nov 05 '13 at 09:02
  • Because it want customer ;) – Boris Kuzevanov Nov 05 '13 at 09:03
  • I expect this whole obfuscated code to be received via AJAX. and then I run the code either by adding it to HTML by jquery or using eval. The code I get from AJAX should be replaced with newEval as it uses eval function in it. after that when this code will run, it will execute your newEval function which will later call your myWrite function which is receiving the de-obfuscated code. you can then write your de-obfuscated code to desired html using normal jquery. – Balwant Singh Nov 05 '13 at 09:10
  • Well Boris you'll have to explain to your customer that obfuscating HTML serves no purpose as it can be read by anyone who has a web inspection tool like firebug or chrome inspector. Try using firebux or Chrome inspector on the output from this jsFidde http://jsfiddle.net/DGBLx/1/ you'll see that even though the source is obfuscated the web browser will display it unobfuscated. – Hugo Tunius Nov 05 '13 at 09:13
  • Hugo, i tryed to expalin it, but i need to do it anymore :( – Boris Kuzevanov Nov 05 '13 at 09:16
  • in your ajax success function, make sure the data you recived has replaced eval with `newEval`. do a normal string replace. after that send this code to eval of do it like this : `$("").html(obfuscatedCode).appendTo("head");` This will process the code and send it to `newEval` function. Copy the `newEval` from my code above. Make another function named `myWrite`. In my Write you will get the text you want to display/use in t your HTML. use that as you would use in a normal Ajax Success handler. – Balwant Singh Nov 05 '13 at 09:32
  • now i have : SyntaxError: illegal character window[ "eval" ].call( window, data ); – Boris Kuzevanov Nov 05 '13 at 09:38
  • why are you calling it like this? can you detail the issue? – Balwant Singh Nov 05 '13 at 09:51