Hi Folk

What is the silverstripe philosophy on hiding emails? Right now, when you make an email link it blatantly shows in the source code, meaning that email harvesters will pick it up. What is the best way or what sort of ideas do you have about hiding email addresses?

Perhaps I could write a little module for it that can be added to ss. In that case, someone needs to tell me a bit more on how to do that :-)

Nicolaas

Currently we've not created any obfuscation, but certainly suggest what you feel is a good contemporary way of doing it :)

I have a small PHP function that takes the email address from the content and changes it into a bit of javascript that writes mailto:email@beemail.com. You can also write all characters as ascii code e.g. 'M etc... in combination with the above. Altogether this may provide a bit of obfuscation. Here is an example: http://www.cloud9.co.nz/ (see bottom of the page).

Not very sophisticated, but at least it shows that you have made an effort to prevent your clients from being spammed....

Usually, within days of publishing (without obfuscation), clients will find their email being spammed.

Hope that helps

Nicolaas

I found a pretty nice technique here:

http://viebrock.ca/code/11/

We could probably do something like this for bob@somewhere.com:

<a href="send/bob/somewhere.com">Bob's email</a>

[code php]
class Page_Controller extends ContentController {

function send() {
// ... do some checking of $this->urlParams here and perform an HTTP redirect to the mailto URI
}

}

That page has some nice examples of php code performing this sort of behaviour, instead of placing the mailto: directly in the source code. Perhaps this could be of some use?

Hope this helps!

Sean

it may be nice to use something that is not commonly used, because if it is commonly used then the email harvesters have more incentive to crack it....

I just committed the first revision of the hidemailto module for you guys to test :)

Run the following inside your silverstripe install:

svn co http://svn.silverstripe.com/open/modules/hidemailto/trunk hidemailto

Then, follow the instructions at the top of the hidemailto/code/HideEmail.php file to implement it :).

Summary: There are currently two ways to implement, either by passing a member ID or an email address in the format user/domain/subject.

If you're listing a bunch of members on your site, and want a link to email them, you can use the following code:
[html]<!-- This is some control that returns Member objects -->
<% control Members %>
<!-- No default subject -->
<a href="$HideEmailLink" title="Email $FirstName (opens your favourite mail client)">Email $FirstName</a>

<!-- A default subject of Hi there! -->
<a href="$HideEmailLink/Hi there!" title="Email $FirstName (opens your favourite mail client)">Email $FirstName</a>
<% end_control %>[/html]

You can also insert links manually - via the CMS or hard-coded into your templates - by using the format mailto/user/domain/subject, where:
- user means the part before the @ sign - e.g. for matt@silverstripe.com, it will be 'matt'
- domain means the part after the @ sign - e.g. 'silverstripe.com'
- subject is optional, and is the default subject that is loaded (it can be changed by the user)

Hope this helps someone :)

edit: I've tested this on SilverStripe 2.1.0, and it requires the DataObjectDecorator extensions that were built for the gallery module.

Nice work Matt, I've just had a quick test and it seems to be working quite well. I'll test a bit more, and see how it goes, but it seems to be working pretty well nevertheless, and is free of javascript like most other methods rely on. :-)

Sean

cool stuff, matt!

why wouldn't spambots (who crawl a site anyway) be able to follow a link in the format "/ingo/silverstripe.com/testmail" and extract the plaintext email-address from the url? they don't even have to be javascript-capable, just parse their own crawl-logs (or http-headers).

as mentioned on http://viebrock.ca/code/11/, you would've to combine this solution with a captcha to make it spam-bot safe. this in turn isn't very friendly to the user, who expects a simple email link.

i don't see this solution (without captcha) as much more secure than javascript-obfuscation, which can be worked around by spambots with similiar (or even more) effort. on the long run, having a $Content-parser in the module replacing all email-links with a client-side obfuscation would be cool :) definetly a good start though!