Sneaky JavaScript Source Code Hiding

One of the most common questions I find that is asked by newbie webmasters is “how do I hide my source code?” Most of these kids don’t have websites/code worth stealing, but nonetheless you’ve got to see past the “oh God, not another one” and respect their determination to protect their hard work. That said, I have to admit I usually roll my eyes and answer with “You can’t. Period.”

Nothing has changed. I still don’t know of any viable way to hide your source code (not that I would, I don’t mind sharing snippets here and there; anyway…) So, when I finally get to login to my mail (mooching off Karl’s Mum’s Internet) today and see a suggestion for a tutorial posted on Sunday with the following text: “A tutorial showing how to eliminate your source code from being seen (like at www.kao-ani.com)” ..it made me quite curious.

Still, I repeat, nothing has changed. The owner of Kao-Ani has sacrificed her JavaScript impaired users to implement a method of source code-hiding that would indeed confuse the majority of webmasters. Even those a little more ‘net savvy than most may be daunted. T’is a simple concept though — by replacing characters such as < and the space with their hexidecimal equivalent, the person viewing the source sees what looks like gibberish. However, the JavaScript unescape() function converts the characters back to plain text and writes the data from the file referenced in the mixed string. In Kao-Ani’s case, the file is a .js with simple HTML frameset tags.

Of course, to save you the bother of converting the hex characters, pulling out the filename, typing it into the address bar and then viewing the source you could just use the Firefox web developer toolbar extension to view the frame source from the toolbar, but where would the fun be in that? It’s quite resourceful really, I almost feel guilty for sharing the ‘secret’… (I jest.)

35 comments so far

  1. Xeronia said:
    On 01 Nov at 8:24 pm

    I once read somewhere that if the browser can decipher the code, there is always a way for the viewer to see it. Instead of worrying about code, people should stop stealing stuff. Thanks for the secret!

  2. Jenny said:
    On 01 Nov at 8:28 pm

    .. I can remember when some girl kept getting really pissed off at people using her “clocks” and accusing them of stealing her idea and you know they “used the EXACT same code!” I was like “.. but your code was from that dhtml scripts site..” That being said, her source code was completely encrypted (but I emailed her with a URL of mine that just deencrypted it for her xD) even though she was known for her graphic skill and not her coding skillz. ‘Tis quite cute though (those sites that are in the kao-ani circles).

  3. Amelie said:
    On 01 Nov at 8:41 pm

    I saw that question, and went to that kao-ani site and did exactly what you did – got webdev up, looked at the JS and saw that the code isn’t really worth stealing anyway. I used to put loads of whitespace at the top of my source so it looked like it was empty when people viewed it, but that is probably even more daft than the JS way. People will notice the scrollbar won’t they? Not what I thought.

  4. Audrey said:
    On 01 Nov at 9:04 pm

    THAT is the most annoying thing ever. If I didn’t want to use my mouse I would unplug it myself. How idiotic. It is a silly thing to be worried about anyway.

  5. Kelly said:
    On 01 Nov at 9:18 pm

    I used to think the “no right click” scripts did enough. Didn’t realise the user could just click “View” and “Source” :P

  6. Chans said:
    On 01 Nov at 9:19 pm

    I prefer to ask when I don’t know what code to use or when I can’t et it done properly (but you probably know that ;) ). But just looking at someone’s source code without taking anything can be a good way to learn certain things so you can implement it your own way in your site.

  7. Trish said:
    On 01 Nov at 9:26 pm

    Yeah…no matter what, people will still find ways to get source codes. I look at source codes sometimes, but like Chans said, I just try to see how the more experienced people code, it really does help though.

  8. Alys said:
    On 01 Nov at 9:47 pm

    Geez, talk about paranoia. I agree with Xeronia, less hiding, less stealing and more helping! No reboot Jem?

  9. Hillarie said:
    On 01 Nov at 10:23 pm

    You know what? I think that the reason people even bother with the javascript is just proving that society isn’t trusted. I wish that the world was simpler….

  10. Gemma said:
    On 01 Nov at 10:54 pm

    Using JavaScript to load a frameset in order to hide the HTML of the index page, despite the HTML of the actual content pages still being available through Firefox’s ‘view frame source’ command? Not just perversely inaccessible design, but *pointlessly* perversely inaccessible design. Almost a thing of beauty in its own way.

  11. Carina said:
    On 01 Nov at 11:19 pm

    Phew! When I read the first few sentences I thought, ‘Jem is teaching people how to hide their source code?’ I love ‘view source’. It’s great for reviewing, getting around crazy javascript thingies and other stuff. Why do people want to hide their source code? It’s not like it’s special or unique, we all use the same basic tags. My source code is nothing special.

  12. Lew said:
    On 01 Nov at 11:44 pm

    One shouldn’t need to protect code. If someone is going to go to all the effort to extract all the source-code and adjust to work for their own needs then all power to them, they’re clearly able to code it from scratch. I also think it’s a great way to learn, to actually see a working deployed solution and how it was done. The real issue here is encouraging programmers to code methods to render sensitive data useless to those without a key, or their half of the whole (if that makes sense). One example would be a one-way hashing method. It doesn’t matter if people know the hashing algorithm, because it cannot be reversed, so they wouldn’t gain anything if they tried. I I don’t care if people know how my code works, in fact I hope it’s elegant enough that they want to copy it. The important thing to me is that they can’t circumvent the system, even though they know how it works.

  13. Julie said:
    On 01 Nov at 11:48 pm

    I love sneaking into people’s source. Then I write myself reviews on how crappy their markup is. Had you seen the link to the site I was referring to in my entry? Enjoy: http://tinyurl.com/uh7h9

  14. Belinda said:
    On 02 Nov at 1:05 am

    I personally am really against hiding source code. When we all started learning HTML, I’m postive we all looked at others’ source codes to learn things. I’m not endorsing stealing others’ coding, but looking and learning is a valid way of gaining knowledge. Plus, ten out of ten times, the code isn’t worth hiding, anyway. ;)

  15. Montoya said:
    On 02 Nov at 4:47 am

    People need to learn that Javascript is a dime-a-dozen and there’s nothing worth hiding that you could ever write in that language.

  16. Martijn said:
    On 02 Nov at 1:22 pm

    @Montaya, I agree with the fact that hiding client-side code is a useless and futile practise, but to say Javascript is a dime-a-dozen isn’t true. It is often overlooked, but it is a truely powerful language that can add dazzling dynamics to your website. Web 2.0 will be a better place thanks to it. Just think of Ajax and co.

  17. Nan said:
    On 02 Nov at 2:07 pm

    Sometimes I have a feeling that some people only are hiding their source codes because it is an available feature – not because they are afraid that someone are going to snatch their actual code.

  18. Aravis said:
    On 02 Nov at 3:07 pm

    In my opinion, if a person really wants to take somebody’s source, all those little scripts aren’t going to stop him. Some people are just that desperate. Or in my case, challenged. I love a good challenge, and finding a site with no-right click scripts just encourages me to view the source more. When I get to it, I love the feeling that I won. :D Of course, there’s really nothing to hide in the source.

  19. Shawna said:
    On 02 Nov at 3:33 pm

    Grand way to break your website for someone with javascript turned off. /tells no script to forbid kao-ani.com forever

  20. Amelie said:
    On 02 Nov at 4:32 pm

    You know what else is daft? Anti-selecting scripts. People put them on their sites thinking you won’t be able to copy their content. Wrong! I saw some girl’s site full of stolen quotes and she’s “protected” them with one of those anti-select things. She’d also stuck a no-right-click script on there, as well as stupid source messages like “UR IP HAS BEEN LOGGED!!!!!!!111 I NO UR STEELIN MY STUFF!!!! G0 AwAYyY!1!!”. What amazed me most was that she got a string of comments saying “Plz tak off ur select blok, i want 2 use ur quotz!1!” *Rolls eyes x9830529835*

  21. Becky said:
    On 02 Nov at 5:50 pm

    I betcha any one of us could completely and totally recreate that layout without viewing the source. I should do that and send it to her to prove that her idiotic Javascript shit doesn’t really work. You know what I really, really, really HATE? Those right click menus that people put on their sites. You know, instead of the standard menu you get a customized list of links within the site and you can’t right click to view source? Yeah, those are fucking stupid.

  22. Jordan said:
    On 02 Nov at 6:49 pm

    @Becky nothing annoys me more then having to deal with a site that has it DISABLED. I’m an avid fan of right-clicking to open links in new tabs. 99% of the time if I can’t right click in a site, I leave it. I also dislike when I cannot highlight text. Sometimes I have a habit of highlighting text because I’m bored or just because I like to keep my place in a long(er) entry or something. But the best part about no right-click to view source is that most browsers (okay, only speaking for FF here) is that you can easily go to View > Page Source. Some people have feeble minds that don’t think outside the box.

  23. Amelie said:
    On 02 Nov at 7:34 pm

    ^ You can disable no right-click JS scripts – go to the FF options and on the JavaScript options tab, make sure “allow scripts to receive right clicks” is unchecked. Alternatively, get the NoScript extension. No more crappy JS from crappy sites! Woo!

  24. Martijn said:
    On 02 Nov at 9:21 pm

    @Amelie: doesn’t the NoScript extension disable all javascript ? In which case you’d lose out on a huge deal of useful effects (as said in previous post) like Ajax ? Or does it filter it instead, judging what is good and bad ?

  25. Amelie said:
    On 02 Nov at 11:23 pm

    No, it doesn’t filter it, it allows JS based on a list of “safe” sites. It works well enough for me, those sites with AJAX tend not to have bad JS all over them so I can enable JavaScript for those sites without worrying about stupid effects. :)

  26. Mary said:
    On 02 Nov at 11:59 pm

    What I think is hilarious is that two minutes after I read this post, I come across another website with that type of HTML “protector” that was generated at regretless.com/scripts/php_encoder.php. Honestly, do these people think that their coding is worthy of stealing or something? 99% of the time they don’t have doctype declarations. @Jordan: If you have one of those scroll-wheel mouses, you can click on a link with the scroll wheel and it will open the page with a new tab.

  27. Mat said:
    On 03 Nov at 3:05 am

    Anyone who hides their source or obfuscates it is denying the nature of ‘learning by example’ something i myself would never wish to take away from anybody, infact i would rather share my source and recieve constructive feedback and help someone learn or learn something myself from the whole experience… Isnt that the purpose of a webpage, to share information? Just because it’s inbedded information doesn’t give it any less meaning. If you really want to hide the source Hashing is the only ‘real’ way to go about it. Personally i find the whole idea proposterous :)

  28. Gemma said:
    On 03 Nov at 10:05 am

    Yes, JavaScript seems to have become a kind of ‘bastard stepchild’ for some people who associate it with intrusive alert windows and decorative DHTML scripts. The annoying uses, of course, don’t change the fact that JavaScript and the DOM are the standards-compliant way to code the ‘behaviour layer’ of a Web page.

  29. Jordan said:
    On 03 Nov at 4:05 pm

    @ Mary, holy hell I never knew such a thing. But now it means that the websites I’d normally leave because of various annoying elements, will force me to stay there… *continues to click links with the scrolling unit*

  30. Sledge said:
    On 03 Nov at 4:12 pm

    I occasionally look at source codes if I find a site that I really like and would like to see if the owner is a good coder too (on top of being able to make a lovely layout with great content); however, I’m not all that saavy with coding myself, so a lot of it is learn by example — I sort of ‘steal’ someone’s code and play around with it a bit, save it, and maybe I’ll be able to use it later for something. I think it’s neat that people are so dedicated (though n00b) to put an ‘anti-stealing’ code on their site. For those of us who can figure out how to see the code, it’s worth being able to look at, because it’s one looking at another’s craft, but for others to look at it, maybe very green coders who would steal directly, it discourages large scale theft after someone has worked very hard on their site. On the other side though, maybe those who are very new to coding need that extra help from sites that are willing to share their codes without trying to cover them up and hide them. The more I think about this, the less of a point I have, and the more unsure I feel about it… haha Either way, very cute new layout, Jem; I very much like it.

  31. Stephanie said:
    On 03 Nov at 4:30 pm

    People really do overlook JS. I’ve been using it to calculate screen reses so I could a few equations in PHP to make graphs that appear the same size cross-res. Percentages just didn’t work right, so I made it up myself :d In any case, I really like looking at the source code for different sites, ’cause I like seeing how they did things. It’s just a way to see what other options are out there, ’cause we all code differently.

  32. Sairisu said:
    On 04 Nov at 2:42 pm

    HEY! That was MY question! x3 Thanks for answering it, though….(awe ._.)

  33. Jordie said:
    On 06 Nov at 8:11 am

    How do you hide your source code? That’s easy — don’t have any! The Internet will have one less idiot that way.

  34. Jessica said:
    On 06 Nov at 4:09 pm

    I love looking at sources. I see something I have been trying to figure out & get all excited I think I might pee my panties. If I can’t totally figure it out from a source I go looking for tuts. Then I figure it out from there till it works on all 4 browsers I have. I just figured out how to make block quotes all pretty…. yes sad it took me that long. I also figured out how to make the headers look different in the content & side bar. I was thinking of making a list of sites that have those damned java script pop ups. Maybe publish it on my site (once the domain resolves).

  35. Hemanth said:
    On 20 Jan at 11:54 am

    There are lots of people who try to hide code. Some just for the heck of it. Even Google has tried (show_ads.js). They have renamed all the function names and attributes to single letters too. Making it very unreadable but not impossible. I am a novice who learns something when the requirement arises and do not try to memorise any stuff. Now to read something unreadable I have to learn to make something unreadable or hide. To rebuild something, finding out how it was broken apart is a good starting point. Isn’t it. Thank you all for the info I got here. Regards Hemanth