Essays on self-improvement, software development, and esports.
© 2022. All rights reserved.
Keeping email addresses away from harvester bots is an old problem. I decided to apply some new technology to it.
I think the third option is the best. But there’s a catch.
Putting an inline
<script> tag in your HTML is considered a bad practice. There
that allows user-created content, like a comment section. If it’s not properly sanitized, it can attack any user who views the page).
Now I have two separate pieces of code, one that will encrypt the email addresses when it renders the HTML, and another that will decrypt them on the client side, after it’s downloaded the encrypted links. This raises a new issue.
On the Ruby side, I have these functions added in
All this does is randomly twiddle the last four bits of every byte in the address string. Again, it’s not very sophisticated. It’s maybe
one step up from rot-13. But it doesn’t have to be cryptographically secure, since all we’re trying to do is confuse some bots.
With this helper, in any template I can write
<%= obfuscated_email_tag 'firstname.lastname@example.org' %> and it will come out looking something like
<a data-controller="obfuscate" data-obfuscate-address-value="BblfbokfG}ke|dpe}f+lzu%dc" href="#">. That doesn’t look anything remotely
like an email address.
This gets run by Stimulus, as soon as it parses the HTML, and turns the link back into its original text.