HTML/text/JavaSript Escaping/Encoding Script


These scripts are intended to explain how to "hide" HTML and/or javascript from other people who view your page's source code. It is not foolproof, but it does make it more difficult to read and understand the source code. Due to the nature of how these scripts work, the explanation may seem complicated and drawn out, but be patient and it should make sense once you gain a little experience with them. You don't really have to know the ins-and-outs of these scripts, but it does help you understand how and why they work. So, take a seat and I'll do my best to make this seem as un-complicated as possible.

By the way, my stolen "popup" script at popovergenerator.com uses a similar method of doing this to hide their thievery. Check out this page for proof...


Escape/Unescape

The first section of this page explains how to "escape" any text, HTML, or Javascript to make it generally unreadable to the common user. URL Escape Codes are two-character Hexadecimal (8-bit) values preceeded by a % sign. This is used primarily in browser URLs or for use when making cookies for characters that otherwise would not work, usually because they are reserved characters (like spaces and the like).

For example, if you had an HTML filename of page one, the escaped URL code would look like page%20one. The %20 is the escaped value for a space. Normally, you would only escape special characters (generally any character other than a-z, A-Z, and 0-9), but the script below actually escapes all the text simply by replacing all characters with their escaped equivalents. So, if you were to fully escape the words page one, it would look like: %70%61%67%65%20%6F%6E%65. Now, none of the text is easily decipherable even though most of it was made up of normal characters.

Since the browser can inherently handle escape codes, this can be used pretty easily without having to add any more script to decipher them. So, if you want the browser to write that escaped text to the page, you could do something like:

<script language="javascript">
document.write( unescape( '%70%61%67%65%20%6F%6E%65' ) );
</script>

All I'm doing here is putting the escaped string in a set of quotes (important!), wrapping that inside the built-in unescape() method, and then wrapping that in a document.write() method. This might seem a little worthless, but you could hide an email address this way to prevent web crawlers from snagging your e-mail address from your webpage to use in mass spam e-mailings, yet allowing visitors to read it fine... Unless, of course, you actually like getting Viagra solicitations. :)
For instance, my fully escaped e-mail address would look like this to a web crawler:

<script language="javascript">
document.write( unescape( '%73%63%72%69%70%74%61%73%79%6C%75%6D%40%68%6F%74%6D%61%69%6C%2E%63%6F%6D' ) );
</script>

... but would look like this to a visitor:

scriptasylum@hotmail.com

The two textboxes below will let you fully escape and unescape any text you want. Just type whatever text/HTML/JavaScript you want in the left box and click the --> button to fully escape it. Likewise, click the <-- button to convert it back to normal text to verify that it is the same as the original. You can copy & paste the escaped code into your page (don't forget to use the unescape() and document.write() methods).

Normal Text/HTML/JavaScript   (Select all...)







Escaped Text/HTML/JavaScript   (Select all...)



Encoding/Decoding

Now, you probably have figured out that you could hide an entire HTML page using the above method; but there are two disadvantages to doing that: Size and ease of "cracking" your code.

When you fully escape an entire page, every single character becomes 3 characters. This will triple the size of your page. Not a big deal if the page is only about 1-5 KBytes in size; but when you have a fairly large page (>10 KBytes), the filesize increases rapidly. This would slow the load time for the dial-up connection surfers out there.

Also, if someone were to look at your source code, it would be pretty easy to figure out what you are doing. Then they can simply copy & paste the code and make a small script to display the normal content. There is no absolute foolproof way (client-side) to foil someone from viewing your source if they are determined enough; the best you can hope for is to make it as inconvenient as possible.

So, to address both concerns you could encode/decode the text. Again, it won't be foolproof to keep people from stealing your source content if they really want it. I am really using the terms "encode" and "decode" loosely here; what the following script does is not considered actual encoding, but it's easier to say it that way. The encoded output will be a bit longer than the original text, but a lot less than if you had simply escaped it all.

The above section just escapes the text. The section below actually shifts the Unicode values so the result looks like gibberish. Give it a try and you'll see; don't forget to try different Code Key values from the drop-down box.


Normal Text/HTML/JavaScript   (Select all...)







Code Key:
Encoded Text/HTML/JavaScript   (Select all...)


The following steps are what the script does to accomplish this effect when you click the --> (encode) button:
  1. First, all the text is escaped.
  2. Then the script finds the Unicode values for each character in the string.
  3. Then the script adds whatever the Code Key drop-down box value is to each character's Unicode value.
  4. Then the script derives characters based on the shifted Unicode values.
  5. The Code Key value is also embedded in the decoded text so the script knows how to properly decode the string again.
  6. Finally, it escapes the result one more time to remove any special characters. Now, the output looks totally foreign to someone who cannot un-shift Unicode values in their head. :)
The decode step <-- simply reverses the process.

Unfortunately, the browser does not have any built-in ability to handle the decoding, so we have to use a function for that. So, you have to escape the function that handles the decoding to hide that part, and have the browser write it to the document. You don't really have to escape the decoding function, but it will make it that much harder for someone to figure out what's going on. Then, the decoding function can be used to decode the rest of whatever content you have encoded. I'll outline the steps below one-by-one to make this less confusing.
  1. Escape the decoding function. Before this function is escaped, it looks like this:

    <script language="javascript">
    function dF(s){
    var s1=unescape(s.substr(0,s.length-1)); var t='';
    for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
    document.write(unescape(t));
    }
    </script>

    Once escaped, the function looks like this:

    %3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%0D%0A%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%0D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%0D%0A%7D%0D%0A%3C%2F%73%63%72%69%70%74%3E

    Neat huh? :)
    Anyway, now you have to make the browser write that part of the script to the page by wrapping it in the document.write() and unescape() methods like this:

    <script language="javascript">
    document.write( unescape( '%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%0D%0A%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%0D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%0D%0A%7D%0D%0A%3C%2F%73%63%72%69%70%74%3E' ))
    </script>

  2. Now that you have the decoding function on the page, you can call it to decode whatever content you have encoded. Let's say you had a script you wanted to protect; something like an image preloading script like this:

    <script language="javascript">
    function preloadImages(){
    var iA=new Array();
    for(i=0;i<arguments.length;i++){
    iA[i]=new Image();
    iA[i].src=arguments[i];
    }}

    preloadImages('img1.gif','img2.gif','img3.gif');
    </script>

    Once the script above is encoded using "code key" number 1, it looks like this:

    %264Dtdsjqu%2631mbohvbhf%264E%2633kbwbtdsjqu%2633%264F%261E%261Bgvodujpo%2631qsfmpbeJnbhft%2639%263%3A%268C%261E%261Bwbs%2631jB%264Eofx%2631Bssbz%2639%263%3A%264C%261E%261Bgps%2639j%264E1%264Cj%264Dbshvnfout/mfohui%264Cj%2C%2C%263%3A%268C%261E%261BjB%266Cj%266E%264Eofx%2631Jnbhf%2639%263%3A%264C%261E%261BjB%266Cj%266E/tsd%264Ebshvnfout%266Cj%266E%264C%261E%261B%268E%268E%261E%261B%261E%261BqsfmpbeJnbhft%2639%2638jnh2/hjg%2638%263D%2638jnh3/hjg%2638%263D%2638jnh4/hjg%2638%263%3A%264C%261E%261B%264D0tdsjqu%264F1

    Then, you decode the string and write it to the page by calling the dF() function (which was just unescaped and written to the page in the previous step) passing the string above like this:

    dF('%264Dtdsjqu%2631mbohvbhf%264E%2633kbwbtdsjqu%2633%264F%261E%261Bgvodujpo%2631qsfmpbeJnbhft%2639%263%3A%268C%261E%261Bwbs%2631jB%264Eofx%2631Bssbz%2639%263%3A%264C%261E%261Bgps%2639j%264E1%264Cj%264Dbshvnfout/mfohui%264Cj%2C%2C%263%3A%268C%261E%261BjB%266Cj%266E%264Eofx%2631Jnbhf%2639%263%3A%264C%261E%261BjB%266Cj%266E/tsd%264Ebshvnfout%266Cj%266E%264C%261E%261B%268E%268E%261E%261B%261E%261BqsfmpbeJnbhft%2639%2638jnh2/hjg%2638%263D%2638jnh3/hjg%2638%263D%2638jnh4/hjg%2638%263%3A%264C%261E%261B%264D0tdsjqu%264F1');
So, to bring all this together, the following is what you would paste into your page:

<script language="javascript">
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%0D%0A%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%0D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%0D%0A%7D%0D%0A%3C%2F%73%63%72%69%70%74%3E'));dF('%264Dtdsjqu%2631mbohvbhf%264E%2633kbwbtdsjqu%2633%264F%261E%261Bgvodujpo%2631qsfmpbeJnbhft%2639%263%3A%268C%261E%261Bwbs%2631jB%264Eofx%2631Bssbz%2639%263%3A%264C%261E%261Bgps%2639j%264E1%264Cj%264Dbshvnfout/mfohui%264Cj%2C%2C%263%3A%268C%261E%261BjB%266Cj%266E%264Eofx%2631Jnbhf%2639%263%3A%264C%261E%261BjB%266Cj%266E/tsd%264Ebshvnfout%266Cj%266E%264C%261E%261B%268E%268E%261E%261B%261E%261BqsfmpbeJnbhft%2639%2638jnh2/hjg%2638%263D%2638jnh3/hjg%2638%263D%2638jnh4/hjg%2638%263%3A%264C%261E%261B%264D0tdsjqu%264F1');
</script>

I've highlighted the part that unescapes the decoder function in light yellow, and the part that decodes the preloading script and writes it to the page in light blue. You would just paste the whole section above into your page and the script would function perfectly just like it would if it were plain old English. Yes, it looks confusing, but that's the point isn't it? Oh, and one more thing: the whole string should appear on one line; you can not add forced line breaks.

The same thing is done if you want to encode a whole HTML page, except the encoded part of the string (light blue) could potentially be HUGE. The escaped function (light yellow) would not change however.

I've made a couple of wizards you can use for different purposes. You can achieve the same thing by using the escape/un-escape & encoder/decoder functions above, but these are specialized to take out some of the guesswork. Each of the links below will open a new window. The method this script uses to shift the Unicode values may be different from other similar encoding scripts you may find elsewhere on the net. My version simply adds the "Code Key" value to the Unicode value. Others may subtract, multiply, divide, square, etc a number to scramble the original text. No matter what, the method is very similar.

You can find a complete chart of all the UniCode values using the MS Windows charmap application.