Friday, 22 May 2009

Spambot KIller ASP.NET

It had got to the point in developing my first ASP.Net website (for my first C#/.Net application - Accommodation Booking System) that I needed to explore a good way of 'encoding' any email addresses on the website. I had seen this mentioned from time to time over the many years but it wasn't until looking for something else did I feel that now was the time to see what other people were doing/suggesting.

ASP.NET Hyperlink Control

I soon found an article by Peter Bromberg called: Spambot Killer ASP.NET Mailto: Hyperlink Control where in Peter goes through some custom code that overrides certain Hyperlink functions and "... convert everything into it's HTML Entity representation." thus making it difficult for spambots to recognize as an email address.

Registering the Custom Control

Not having had much experience of Custom Controls I was suddenly finding it difficult to figure out how to Register this new feature.

Soon I found that the 'web.config' file could hold details of this and thus also making it globally available to the site, so I added the code under the 'controls' section

<add tagprefix="pab" namespace="PAB.WebControls"></add>

and sure enough now my page that was trying to use it was no longer complaining and I could remove my attempt at trying to Register it before the HTML code.

<pab:emaillink id="supportHyperLink" runat="server" tooltip="Support email address">

As you will notice I have missed out the NavigateURL attribute as well as Text. I have done this so I could add these in the code-behind file

supportEmail = ConfigurationSettings.AppSettings["SupportEmail"];
supportHyperLink.Text = supportEmail;
supportHyperLink.NavigateUrl = "mailto:" + supportEmail;

The supportEmail variable is a public string that I declared in the Class. This has the value of a AppSetting called 'SupportEmail' from the web.config file and then this value is attributed to Text and NavigateURL (prefixed with 'mailto:').

<pab:emailLink ID="supportHyperLink" runat="server" ToolTip="Support email address" / >

Adding/Changing the EmailLink Class

I noticed (of course) that the Text generated (which in my case is also the email address) was kept as plain text and although the function had done the job of obfuscating/encoding the email address as part of the hyperlink I calso needed the same process to happen to the Text attribute otherwise I would expect it would be all for nothing. I decided to change the else if relating to 'mailto:' code block under the Render function

link.NavigateUrl = HtmlObfuscate(link.NavigateUrl);
writer.WriteAttribute("href", link.NavigateUrl);
if(Text.IndexOf('@') > -1) Text = HtmlObfuscate(Text);

thus if the Text attribute is identified as having an '@' symbol in it it should be obfuscated as there is a good chance it is an email address.

In addition to this I added

if (!string.IsNullOrEmpty(link.ToolTip))
{
if (link.ToolTip.IndexOf('@') > -1) link.ToolTip = HtmlObfuscate(link.ToolTip);
writer.WriteAttribute("title", link.ToolTip);
}

again to make sure if it appeared to be an email address within the ToolTip (if there it wasn't null or empty) that it was obfuscated.


Richard
Visionscape
Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)