JavaScript with the attribute “CF-Hash” mysteriously added to a source code
I just noticed that one of my articles on the website has a strange JavaScript code added to my raw code that I show in article.
This is how my original code looks:
scp SourceFile user@remote.host:
But when I visited the page, it was all munged like this:
scp SourceFile user@remote.host<script cf-hash="f9e31" type="text/javascript">
/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>:
Some JavaScript is being added to my source code (and only in one place).
<script cf-hash="f9e31" type="text/javascript">
/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>
I quickly edited the post and saw the content there was just fine. The only content that was getting munged was code output (in preview). It was very confusing. I use a plugin for syntax highlighting of source code examples, so at first I thought that this plugin causes an error. After I googled the attribute getAttribute(“cf-hash”)
. I learned that this is a function of email address obfuscation from “CloudFlare” service (which I use).
“Email Address Obfuscation” — a feature in CloudFlare that encrypt email addresses on your web page from bots, while keeping them visible to humans. There are no visible changes to your website for visitors. CloudFlare obfuscates your email address by default.
Service “CloudFlare” wrongly perceived the string user@remote.host:
as email address and therefore tried to obscure it.
In order to fix the situation, this kind of string must be escaped or the obfuscation of email addresses must be completely disabled.
1) To prevent CloudFlare from obfuscating emails, just wrap them in HTML comment tags like this:
<!—email_off-->EMAIL ADDRESS<!—/email_off-->
Any code (like email addresses) between the opening and closing comment tags will be displayed to the user exactly as written in the original HTML code.
2) To fully disable the obfuscating email addresses do the following.
-
Go to
www.cloudflare.com
and log in. -
Go to the
Dashboard
. -
Choose your website.
-
Go to the
Scrape Shield
tab. -
Set
Email Address Obfuscation
tooff
.
If you are having trouble fixing this problem with the instructions above, but are being able to solve this problem with any another method please describe it in the comment section below. Thanks!
If this article has helped you solve the problem then please leave a comment
Thanks for reading!
Arthur is a designer and full stack software engineer. He is the founder of Space X-Chimp and the blog My Cyber Universe. His personal website can be found at arthurgareginyan.com.