I hate people viewsourcing my code


I hate people viewsourcing [hey ! I coined a new word :)] my code, what do I do ?


People who did not understand my newly invented word even after spending 5 or more seconds, please do not bother.. read on


Lets suppose I designed a great web page which contains some cleverly designed scripts and I want to protect its source code what do I do ? There are multiple ways, one of the common way is encoding using Microsoft Script Encoder ( It's a simple command line tool)


It's all good for a simple web page, but things are not so easy when we add a few variables like: what if your page dynamic ? ( e.g. being generated using some server side code), or what if you want to protect some XML data or HTML data ? (something important like connection string)


I recently handled one case like this, instinctively I suggested using "Microsoft Script Encoder" but on further discussion with the customer, I realized they finally need to protect HTML/XML not a script and their page is dynamically generated using ASP.


Now, running a command line tool on a web server is surely not a great idea [ok..sorry ..all generalizations are false!]. But still its not even not a great way of coding where you would need to persist your dynamically generated page to the disk then programmatically launch a commandline tool which will convert the page to the encoded page and sending this page to the user agent.


On researching further I realized that "Microsoft Script Encoder" uses "Microsoft Scripting Runtime" Scripting.Encoder object under the hoods.. so I thought of playing with it a bit..just to give you a backgrounder [oh..new word again! Are you reading this oxford !], I never used encoder object before this case came to me. When I looked for the documentation for this object, it was limited [I just want to avoid saying that there was no documentation.. but don't worry, I already looped in MSDN support].


So, the only option was playing with it, after some trial, error and testing I was able to device the following method for achieving the desired results:


1)    Create an object of “Scripting.Encoder” (e.g oScrEnc)
2)    Rather than directly writing the HTML that’s generated on server side wrap it in “document.write” [because script encoder or Microsoft Scripting Runtime can only encode script] and store it in a string (e.g strHTML )
3)    Pass this string in EncodeScriptFile (e.g oScrEnc.EncodeScriptFile(“.js”,strHTML, 0, “js”)). This will return the encoded script.
4)    Now, write the encoded script wherever you want in your page in between <script language = Jscript.Encode> </script> [note the language attribute, that’s required for the browser to understand the encoded script]

Have a look at the following code snippet for the completed code:  

[We are not talking about protecting the source code from seasoned hackers, its about protecting it from the people who will do a quick view source and put the script in their web page]



Encode.asp


Comments (4)
  1. I hate people viewsourcing [hey ! I coined a new word :)] my code, what do I do ? People who did not

  2. Wil Clouser says:

    Why invest so much time in obfuscating the code when, as you mention, someone that knows what they’re doing will be able to get around it anyway.

    How about sprinkling your clever code with comments so people can understand exactly what you’re doing.  Make it as modular as possible and write up a short readme so people can get an idea of how it works.  Put your email address in the code so people will have a place to go with questions or ideas for enhancements.

    Maybe that person viewsourcing your code will be able to stand on your shoulders and make something even cooler.

    Six months from now you might see your code doing something you never even thought of – that’s the beauty of the open web.  Share with others and we all improve.

    I agree 101% whatever you say in (2) and (3) para. About why to invest so much time in obfuscating the code ? here are my views: 1) Doing and improving in obfuscation is always a good mental exercise 🙂 2) Not everybody is a programmer or somebody who knows how to get around the obfuscated code, he may not even know what obfuscation of the code is ..or.. ok.. the point is, sometimes you just want to make your code unreadable for a specific group, and believe it or not, there are groups in which just a page sprinkled with obfuscated variable names and method names will make the code useless[to borrow ]for users, and offcourse some groups are other extreme .. so my friend, it’s all relative.. and all generalizations are false

  3. Martin says:

    “great web page which contains some cleverly designed scripts”

    A web page that only work in Internet Explorer is never designed clever anyway, so if you even consider to user this jscript.encode-crap you can be pretty sure no one will be interested in your code anyway so you can just leave it as it is… And even if you encode your scripts they can anyhow very easily be decoded so there is really no point to do anything like this.

    And why the heck shall you even try to “hide” something that you think is “clever”. The only reason I can find is if you think your code is so ugly that you are ashamed of it…

    Hey ..thanks a lot for your compliments and impartial views 😉 come on.. we are not talking about encrypting ! its just encoding.. so that end users (who may or may not understand the value of the code) shouldn’t play with it, there are always different levels of barriers for different type of people. If they can cross those barriers , they deserve crossing it. Life is a test .. add a few more
    PS: I am not a lawyer, i am not talking in legal terms and these are my own views, i am not a doctor and i am not talking in medical terms etc.. ..

  4. Asd says:

    This is moronic. If you do not want people to see your source then do not use any client side scripting. It is as simple as that.

    Why don’t you want people to see it?

    1. It is insecure

    Well then you need to fix it, not try to hide the problem.

    2. Your code is crap.

    Give up programming. You suck

    3. People are ripping off your code.

    I doubt your code is good enough that anyone with brains would rip it off.

    I get ur’ point! let me explain. umm.. why did you choose your name as “Asd” isn’t there any way to find who actually is the commentator? yep..there is, but still you choose “Asd” well, i understand sometimes encoding is required. Oh..yes thanks for all the compliments above 🙂

Comments are closed.

Skip to main content