{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 闹够了就滚 的问题《CF-Hash attribute and script mysteriously added to》','https://www.manongdao.com/q-439425.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a development site and production site:
I have a mailto email link at the bottom, the php source code is exactly as follows:
<section>
<h2>Looking for a LAMP, WordPress or Drupal Developer?</h2>
<p>Contact me today: <br/>
<a href='mailto:mail@example.com'>mail@example.com</a>
<br/>
<a href='tel:+13334445555'>333 444 5555</a>
</p>
</section>
Everything is normal on my development site, the produced html is as follows:
<section>
<h2>Looking for a LAMP, WordPress or Drupal Developer?</h2>
<p>Contact me today: <br>
<a href="mailto:mail@example.com">mail@example.com</a>
<br>
<a href="tel:+13334445555">333 444 5555</a>
</p>
</section>
Then mysteriously on my production site some javascript is being added my my mailto link (and only mailto links, in this case just the one but I have added more and the script is added to them as well) Here is the html output on the production site:
<section>
<h2>Looking for a LAMP, WordPress or Drupal Developer?</h2>
<p>Contact me today: <br>
<a href="mailto:mail@example.com">mail@example.com
<script cf-hash="f9e31" type="text/javascript">
/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function() {for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */
</script>
</a>
<br>
<a href="tel:+13334445555">333 444 5555</a>
</p>
</section>
I have checked the code on my production server, this script is not there.
What could possibly be going on?
Cloudflare hides the email address to prevent bots from scraping them from web pages.
If you are a normal web user rather than a bot you will be running JavaScript. Cloudflare inject JavaScript which unscrambles the email addresess.
Some web pages wont allow inline JavaScript to run and thus end users cant see the email addresses.
Consider varying the Content_Security-Policy meta tag emitted by the website to allow the running of inline JavaScript.
e.g. see use of 'unsafe-inline';
"As of Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for elements for an example."
More useful information on this here : https://developer.chrome.com/extensions/contentSecurityPolicy
This isn't related to ColdFusion. In this code,
cf-hashis an attribute of aSCRIPTtag (plain HTML). Searching on 'cf-hash="f9e31" gets a lot of similar code out there. Found this link that points to it possibly being a CloudFlare Email Protection script. That would be something running on your production server that's not in your local development environment.CloudFlare obfuscates your email address by default. If you want to ignore obfuscation for a email, just wrap them in HTML comment tags like this. CloudFlare will ignore these.
Source: http://roaringapps.com/blog/cloudflare-email-obfuscation/