How to encrypt Javascript?

Edward King · June 29th, 2005, 02:15 AM

I put a Javascript into a JS file,and refered it in a HTML file.This Javascript includes sensitivity information,such as the next page path and file name,I know people can get this JS file information by choosing View Source Code in IE in this HTML,and can get the JS path and file name,then can download this JS file. How to protect the JS file?

Any idea will be appreciated!

richard.york · June 29th, 2005, 08:16 AM

Use a packer.
http://dean.edwards.name/packer/

It'll collapse the whitespace, and minimize the file size. As an added bonus it also obfuscates the code.

For example:

var file = '/my/sensitive/path';

Will still be there, albeit much more difficult to find or make sense of. In fact here is the output of that line using Dean Edward's packer:

Code:

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[(function(e){return d[e]})];e=(function(){return'\\w+'});c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('4 2=\'/0/1/3\';',5,5,'my|sensitive|file|path|var'.split('|'),0,{}))

There is a minimal amount of output that this will generate, so it works better for large, more complex scripts, as far as the packing goes.

HTH!

Regards,
Rich

--
[http://www.smilingsouls.net]
Mail_IMAP: A PHP/C-Client/PEAR solution for webmail
Author: Beginning CSS: Cascading Style Sheets For Web Design

joefawcett · June 29th, 2005, 10:13 AM

Remember that you can't hide it from a determined user. If it's that sensitive you'll have to find a better technique. At the end of the day anything that is rendered by a browser is accessible to the user.

--

Joe (Microsoft MVP - XML)

114v · October 4th, 2006, 10:59 PM

What about ufmxgrlm()

Quote:

quote:eval('(ufmxgrlm(){ezi W,K,FZ=mzertzgli.fhviZtvmg,rh_tvxpl=/tvxpl/r.gvhg(FZ)...

kaos_frack · October 24th, 2006, 07:11 AM

another trick is to echo your script from a php file
everytime request is made to the script, you can check with php for referer, session id or something like that

billgates · July 21st, 2008, 08:57 AM

Try with this utility: http://utenti.lycos.it/ascii2hex

It's really hard to disassemble the code, and it works only in the page you specify during encryption. :)

jaypabs · August 11th, 2011, 05:40 AM

This is an old thread but I hope I can still get answer from you.

I am also a fan of this script but the problem is (as what you have said) it will work only on the page you specify. Is it possible for the script to work in all pages? If the URL is used as the key to encrypt the javascript, can it be change to something else instead of the URL?

Quote:

Originally Posted by billgates

Try with this utility: http://utenti.lycos.it/ascii2hex

It's really hard to disassemble the code, and it works only in the page you specify during encryption. :)