Hiding data from crawlers via base64 self decrypting html fields

I was looking at ypnose's contact page, he has a really UNIX-oriented way of providing his email address.

This might not be a viable option at all times though, for example while on a smartphone.

<span onclick="this.innerHTML = atob(this.innerHTML)">aGVsbG8gd29ybGQ=</span>

What this does is call atob() (string to base64) on its own content (this.innerHTML), and sets its own content to the returned string.

In this example aGVsbG8gd29ybGQ=, is base64 for hello world, which you can get from running;

printf 'hello world' | base64

Here's an example of it in action;

These functions are deprecated on this domain due to inline javascript being disabled via CSP


As you might have noticed, decoding the innerHTML of the element, can be problematic; If you click it twice, it'll interpret hello world as base64 too.

In order to fix this, you can run atob() on a static string instead.

Here is an example of how to generate your own static string to decoding.

BASE64="`printf 'hello world' | base64`"
echo "<span onclick=\"this.innerHTML = atob('$BASE64')\">click me!</span>"

And here is the output;

click me!