[4.0] email cloaking without inline script #19089
Conversation
|
Seems good to me. Looking forward to the event listener for Ajax rendered content as I rely on this myself. |
|
@C-Lodder check @Fedik 's comment: #18843 (comment) |
|
@C-Lodder can you test this one against some ajax created email addresses? |
|
Can someone from the Security Team confirm if simple encoding is ok here or if we need a stronger key-value approach? |
|
Here is what the bots will see: This is after the js has been executed: Good part: ajax inserted content will work without any extra line of code (use the platform for the win) |
|
Sure, I'll test this tomorrow |
|
Just wondering: Does it even make sense to cloak emails? Afaik Google runs JavaScript when they index the sites, so they will index the email addresses as well. |
|
@Bakual thats true 😂 |
|
Looks good to me |
|
please fix code style issues |
I think only a complex bots, |
| @@ -0,0 +1,43 @@ | |||
| (() => { | |||
| class JoomlaHiddenMail extends HTMLElement { | |||
There was a problem hiding this comment.
Maybe a bit OCD of me but could we change the class to JoomlaCloakEmail or JoomlaEmailCloak? Apart from being better wording, it ties in more with the PlgContentEmailcloak PHP class
There was a problem hiding this comment.
I think @C-Lodder has a good point,
it will be more clear, "where the thing are come from" 😉
JHtmlEmailCloak and JoomlaEmailCloak
There was a problem hiding this comment.
Yup, makes sense, I will change it
| newEl.setAttribute('href', 'mailto:' + window.atob(this.getAttribute('first')) + '@' + window.atob(this.getAttribute('last'))); | ||
|
|
||
| // Get all of the original element attributes, and pass them to the link | ||
| for(var i = 0, l = this.attributes.length; i < l; ++i){ |
| newEl.setAttribute('href', 'mailto:' + window.atob(this.getAttribute('first')) + '@' + window.atob(this.getAttribute('last'))); | ||
|
|
||
| // Get all of the original element attributes, and pass them to the link | ||
| for(var i = 0, l = this.attributes.length; i < l; ++i){ |
|
@C-Lodder did you manage to try this one? |
|
Ah crap, will test now |
|
Tested and seem to work perfectly with content rendered via Ajax |
|
I have tested this item ✅ successfully on d6f2d72 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19089. |
|
please fix the CS issues and don't comment code just remove it |
|
@C-Lodder can you test this with the sample data I put in the description? |
|
Here are the tests to do:
gives Inspector displays address and wrong encoding for utf8 And on image
displays nothing and with your example with image above Note: I do see the images correctly when editing the article in front or back-end. Therefore it may not be related. |
|
Correction: I understand these screenshots do not really show source as they are picked from Web Developper Inspector. In source, the mail adress is obsfucated as should. |
|
Concerning the image, I'm afraid it is a Routing issue due to your PR... The article is displayed in a blog menu item.
An image not concerned by the email cloak displays OK. |
|
@infograf768 I knew you'll find some bugs here that's the reason I've asked you test! Thanks, will patch things in a bit |
|
@infograf768 now should be ok, both failing cases: |
|
UTF8 display is corrected but not the path to image when we call it from a blog |
|
Also, when there is a UTF8 subject, it is still garble.
|
|
I have tested this item ✅ successfully on 385af9c Question: any way to also add test for utf8 mails ? This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19089. |
|
Php tests or js tests? |
No idea. Something in PlgContentEmailcloakTest.php I guess. |
|
@infograf768 added two more tests for UTF-8, all tests pass now |
|
I have tested this item ✅ successfully on 5ec825e This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19089. |
|
@infograf768 can you please retest? |
|
@franz-wohlkoenig he doesn't have to, the last commit was to fix the tests, didn't touch the rest of the code 😏 |
|
Ready to Commit after two successful tests. |
|
@dgt41 Thanks! |
|
@wilsonge why did you merge this with drone / unit tests failing? All Joomla 4 PR's are now failing. @dgt41 The error looks like to come from this line https://github.com/joomla/joomla-cms/pull/19089/files#diff-a5e4a8ab7a94472482aa9109f381223fR61 as |
Pull Request for Issue # .
This PR is part of the series of PRs that try to eliminate the inline scripts from Joomla. (The reason is CSP, please watch @wilsonge 's video from JWC17...)
Summary of Changes
Testing Instructions
Edit an article and add
email: something@somewhere.comNavigate to the article and check if the email is visible.
Disable javascript and reload the page (email shouldn't be visible)
Go to Admin->plugins->Content - Email Cloaking and change the option Mode then revisit the article, the email shouldn't be a link
Set the editor to codemirror and edit the article
popular articlesfrom the sample data.Replace the contents of the article with:
Check in the front end that article, with and without javascript enabled!
Expected result
All the possible cases as described in the tests:
Actual result
Documentation Changes Required
Yes