0

Hello I have some javascript code, a script included inside my page. I want to hide this script(obfuscate), so to make difficult to users to see the code with source view? Is there any way to do this?

EDIT: It's logically that expert users like all stackoverflows users, can always find the source.

albanx
  • 6,193
  • 9
  • 67
  • 97
  • 1
    Duplicate of [How can I obfuscate JavaScript?](http://stackoverflow.com/questions/194397/how-can-i-obfuscate-javascript) and many, many others. – Quentin Dec 17 '10 at 16:13
  • If you need to hide it it needs to be server side, and if you don't need to hide it you shouldn't be trying to. I question the motives of anyone who does this for any reason but bandwidth considerations and I question the value of what you're protecting if you don't know how to do it already. – annakata Dec 17 '10 at 16:16
  • 1
    The same question was asked just this morning with a very similar title - http://stackoverflow.com/questions/4468682/hide-javascript-code-from-client-closed. Please use the search function (I was able to find it again by typing "hidden javascript code" into the search box). – Andy E Dec 17 '10 at 16:17
  • It is not the same, I mean to find a clever way to hide js code that's what I am trying to do for now is this: – albanx Dec 17 '10 at 16:24
  • 1
    @Albanx `$.ajax({ url:'getjava.php', success:function(msg) { alert(msg); } })` Oh my I see your code. You cannot hide the code from the user – Raynos Dec 17 '10 at 16:49
  • 1
    @albanx: If it's not the same then you should word your question differently. As it stands, you're going to get the same answers anyway. – Andy E Dec 17 '10 at 17:19
  • @Andy E yes and i asked this "make difficult to users to see the code with source view",not to hide definitely – albanx Dec 17 '10 at 18:24

4 Answers4

4

For every obfuscator there exist a un-obfuscator.

If you have code you want to hide, use ajax and do the secret sauce on the server.

EDIT: It is possible to download javascript after page has been loaded and run that (this should work just fine to extend the runtime after the initial load, but the code is still transferred to the client and is possible to read for a human at the client end).

What I am trying to convey is that your critical code should only be run on the server and the result returned to the client.

Knubo
  • 8,333
  • 4
  • 19
  • 25
  • that's what i am trying to do, but seems that in eval(code) it fire once the code but dont preserve function, so i cant call any more function. – albanx Dec 17 '10 at 16:23
3

Just use any minifier: Google Closure Compiler, and YUI compressor are the most popular.

These will remove all whitespace, comments, and change variable/function names to single-character names where possible.

Or, if you want to be a little more extreme, this tool will convert variable names and strings to Hex: http://www.javascriptobfuscator.com/default.aspx

David Tang
  • 92,262
  • 30
  • 167
  • 149
2

The best you can do is to define your own obscure language, call it #

Then write two compilers, # to JavaScript (this one needs to be in JavaScript) & JavaScript to #

Then just have a single file on the client that gets some source written in # from the server and then compile / evaluate it line by line on the fly.

Of course # needs to be obscure, and the JavaScript -> # compiler is so that you can just write your code in JavaScript and pre compile it to # and store it on the server.

It's not secure. People can read the compiler and figure out what the JavaScript equivalent is, but if you can find me a single person who cares enough to do that and I'll be impressed.

A minor side effect is that your seriously damaging performance on the client side merely due to an obsession with hiding your source code.

[Edit]

Of course we obscure the compiler with minimizers and ensure that the compiler, compiles & runs internally without converting to easily readable javascript anywhere.

Raynos
  • 166,823
  • 56
  • 351
  • 396
1

There's nothing you can do to completely "protect" the code from being taken, read, understood, and used by anybody who can fetch your page short of legal action should you detect it being used in a way that you feel violates your copyright.

There are various compressors; I use YUIcompressor.

Pointy
  • 405,095
  • 59
  • 585
  • 614
  • I know, that's way I am asking "to make difficult" and not to completely hide. I use compressor but with a simple formater they can be fire off – albanx Dec 17 '10 at 16:22
  • 1
    @albanx: even using "a simple formatter" is beyond the reach of most "1337 $kr1p7 k1dd1ez" - that should take care of the lower 80%; against the top 20%, there's no real protection. – Piskvor left the building Dec 17 '10 at 16:40
  • @albanx you're the only one who can decide how much value you place in the secrecy of your code. If you feel that it is *very* valuable, then somebody else may think so too, and that somebody will be able to figure it out or hire somebody who can. If you **must** protect your code, keep it on your servers. – Pointy Dec 17 '10 at 16:45
  • my code is always free (see at www.albanx.com) but in my company they want a code hider, for they reason. – albanx Dec 17 '10 at 18:29
  • Well if that's the case, then the Google tool or YUICompressor or something like that is probably your best bet. – Pointy Dec 17 '10 at 22:15