Jump to content

Email Obfuscation (EMO)


Recommended Posts

  • 1 year later...
On 9/28/2016 at 10:30 AM, Bacelo said:


<?php echo '<script src="' . $config->urls->siteModules . 'EmailObfuscation/emo.min.js"></script>'; ?>

This works fine as before - the script gets included just fine.

But, none of the included E-Mails addresses are replaced with any text and elements at all. They are still untouched present in plain text.


I ran into a similar issue with v1.1.0. using Javascript Loading method: Load file to $config->scripts 

emo.min.js is included on the page before the <!-- emo --> script block which defines var emo_addr. The function emo_replace() never gets called because at the point of script inclusion emo_addr === undefined. In v1.5 of  emo.js window.onload was removed. So the script never executes when emo.min.js is included before the <!-- emo --> script block.

I have refactored emo.js as an object literal and modified the module Code so that the script block calls emo.init(emo_addr) after defining the addresses.


Tested without problems. Modified module can be found at https://github.com/gebeer/EmailObfuscation/tree/dev

@Roope do you want a PR for that?

Link to comment
Share on other sites

  • 3 months later...

Hello @gebeer!

I made a convert to object literal on your supposal but it had issue when "JavaScript loading method" was set to:manual (where emo.js is loaded after the inline script block). So script init is now again attached to the window onload event and emo.js can be included at any part of page. Thanks for the report!

I also dropped ProcessWire namespace for continued 2.x support, thanks for a remind @Robin S! That was maybe too hesitated and no requirements for it.

Version bumped to 1.1.1 and it's available at GitHub:

Besides bugfixes this version adds support to multilanguage nosript text and template cache.

  • Like 2
Link to comment
Share on other sites

  • 1 month later...
  • 7 months later...
  • 4 months later...

New EMO version 1.2.0 released!


In this version only encryption key is stored in the emo object of html document and crypted email strings as data attributes to span elements that are used to replace found email addresses. This makes it possible to obfuscate emails generated within AJAX request.

There is also a new option at module config to lock the encryption key so that it does not change on every session like it does by default. This is required if you are caching AJAX output for more than session lifetime. Otherwise this option is good leave disabled.

Here is quick example of a simple AJAX request with obfuscated output:

<?php namespace ProcessWire;

if($config->ajax) {
  $str = "<p><a href='mailto:foo@bar.com'>Click to mail</a></p>";
  // auto obfuscation works only when complete html document is rendered so you
  // need to do manual obfuscation on AJAX calls even when mode is set to auto
  echo $sanitizer->emo($str);
  return $this->halt();

<!DOCTYPE html>
<html lang="en">
  <meta charset="UTF-8">
  <title>EMO ajax example</title>

  <div id="result"></div>
  <p><button onclick="sendExample()">Show me some</button></p>

    var sendExample = function() {
      var xhttp = new XMLHttpRequest();
      xhttp.open("POST", "<?= $page->url ?>", true);
      xhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");
      xhttp.onreadystatechange = function() {
        if(this.readyState == 4 && this.status == 200) {
          document.getElementById("result").innerHTML = xhttp.response;
          // run emo init when there's something new to digest



  • Like 4
Link to comment
Share on other sites

On 2/25/2020 at 5:10 AM, grimezy said:

Just a warning, this seems to have a conflict with SEO Maestro module?  I can't diagnose much as I'm at work and it's very busy at the moment.  Can anyone else confirm this?


I can't confirm.

Running PW 3.0.123 + latest versions on both of modules.

What kind of issues are you facing?

Link to comment
Share on other sites

I am having a different issue. With v1.2.0. I get this warning: 
array_key_exists() expects parameter 2 to be array, null given
File: .../EmailObfuscation/EmailObfuscation.module:352

352 if(!is_array($options) && !array_key_exists('pageStack', $options)) {
          return false;

If $options passes the first test, it is not an array. The second test checks for array_key_exists in a non-array. Hence the warning.

The error is being triggered when $options is null.

As a temp workaround I amended the if statement to read

if(is_array($options) && !array_key_exists('pageStack', $options)) {
	return false;

Not sure though if this is correct. Maybe you wanted to return false when $options is not an array, too?


Edited by gebeer
Link to comment
Share on other sites

Hello @gebeer (and @grimezy) and thanks for the info!

I was able to reproduce this and it was purely silly mistake I made when I was rearranging stuff. The is_array check in this condition is there only to prevent such a warning in array_key_exists function.

This is now fixed in 1.2.1 version.

And finally in 1.2.2 version.

While I was there I also added conditional autoload to block admin pages which is proposed by @tpr in this thread already long ago.


  • Like 2
Link to comment
Share on other sites

  • 3 weeks later...


I had this piece of code in my template file's head section, a fix for older IE browsers:

<!--[if lt IE 9]>
    <script src="<?=$config->urls->templates?>js/html5-3.6-respond-1.4.2.min.js"></script>
    <script src="<?=$config->urls->templates?>js/rem.min.js"></script>

EMO 1.2.2 inserted its own code inside the conditional comment which resulted in it not working properly (in browsers other than old IE, of course):

<!--[if lt IE 9]>
var emo = emo || {};
emo.key = 'PDHeN7ZbGViB1m0ATUpc5rC3tY_8fgEqkl6dw2nMKQSLxWouahI.4vJFyOXzs9Rj';
	<script src="/site/templates/js/html5-3.6-respond-1.4.2.min.js"></script>
	<script src="/site/templates/js/rem.min.js"></script>

I don't know the exact way EMO determines where to place its code, but it should probably make sure its JS does not end up in any conditional comment.

Apart from that, thanks a lot for a very useful module.


Link to comment
Share on other sites

Hello @CalleRosa40 and @Brian Williamson!

And thanks for the notice!

The logic with EMO insert changed at 1.2.x update and I haven't got time to push the update yet so in a meantime please use the version 1.1.1 instead as it works without any issues. I'll try to find some time to fix the script insert to head ASAP!


  • Like 2
Link to comment
Share on other sites

@Roope, a feature request: it would be great if it was possible to avoid the email replacement within elements that are given a particular HTML class, e.g. "no-emo".

My current issue is that if I show an email address as the value of a text input or textarea then EMO replaces those strings, which create invalid markup. Probably EMO shouldn't touch emails that are the values of form elements, but it would also be handy to be able to disable EMO inside other elements so I thought I'd request that class option.

  • Like 1
Link to comment
Share on other sites

Hi all!

Issue with script insert to the head section is now fixed in version 1.2.3


@CalleRosa40 and @Brian Williamson please update and report back if you're still facing any problems.

@creativejay and @Robin S - EMO has skipped form tags on obfuscation since day one and I haven't been able to reproduce this error so I'm kind of lost here why are you guys facing this issue with recent 1.2.x update.

For example, none of the addresses in the markup below are not touched:

<form action="/">
  <input type="text" name="email" value="john@doe.com">
  <textarea name="message">john@doe.com</textarea>

Using no-emo class on element to avoid obfuscation is a nice idea but not so easy to implement safely to the current logic based on regular expressions.

  • Like 1
Link to comment
Share on other sites

1 hour ago, Roope said:

EMO has skipped form tags on obfuscation since day one and I haven't been able to reproduce this error

To reproduce, put an input element in your template that is not within a form.

<input type="text" value="someone@domain.com">


It's valid to use inputs, textareas, etc outside of a form element.

  • Like 1
Link to comment
Share on other sites

On 4/17/2020 at 1:25 AM, Robin S said:

It's valid to use inputs, textareas, etc outside of a form element.

Yes, I'm well aware that it is completely valid to have inputs and such outside of a form element and with email address EMO breaks the markup but I thought this was not the issue in your case since there was already previous post from creativejay about problems with FormBuilder and you also mentioned that EMO shoudn't touch values of form elements but you were literally talking about inputs and such, not the form element itself. Sorry about that.

There are also another technically valid situations where EMO fails e.g. like having an email inside data attribute. Generally it is kind of compicated topic to automatically replace email address by new node in every possible case without breaking things.

Anyway, current state where EMO skips whole content inside form element is not ideal since there are many cases where you can have email addresses inside form where they should get obfuscated but currenly are not. Like the one in my previous form example where email inside p element should be touched but it's not.

That said maybe we should remove the form element completely from ignored elements and concentrate only at form elements (what you suggested actually) like input, option and textarea where most likely touching email addresses will give us headaches.

I'll look into it.

  • Like 3
Link to comment
Share on other sites

  • 2 months later...

@Roope, I've noticed that the "Enable JavaScript to view protected content" notice appears for significantly longer in >= v1.2.0 than it did in v1.1.1. In the screencasts below I'm refreshing the page and I've used my browser dev tools to slow the network speed down to "Fast 3G" to make the effect more obvious. In both cases the EMO script should already be in the browser's cache.







Is there some way to speed things up so performance is closer to the older version?

A couple of other little things...

1. Could you look at appending the module version number to the JS file src as a cache-busting querystring? Without that there can be problems if you upgrade/downgrade the module and the visitor has the JS from a different version cached in their browser.

2. I wonder if the module could use a <noscript> tag in some way so that the "Enable JavaScript to view protected content" is only visible to visitors who have JS disabled. If the visitor has JS enabled but EMO has not yet decoded the email address then the notice doesn't need to be seen and this would avoid the FOUC.

  • Like 1
Link to comment
Share on other sites

  • 3 months later...

Hello @Robin S - and thanks for your efforts!

I've optimized the auto init a bit so that it kicks in earlier and now it is in the line with 1.1 version. Or actually it is slightly faster and FOUC is almost unvisible.

I also implemented the other two suggestions that you had: Wrapped replace text to noscript tag instead of span that prevents FOUC completely. Also added version number to JS autoload filename as a query string.

While I was there I replaced skipped form tag with individual form elements and also added couple of attributes to the mix. Now obfuscation is skipped in following:

Tags: head, script, textarea, option, output, input
Attributes: value, label, data

Version 1.2.4 is available at Github:


  • Like 1
Link to comment
Share on other sites

@Roope, thanks for the update.

However, the update wasn't encoding email addresses for me. After some debugging I think the problem is that this...


...and this...

if(!in_array(substr($str, 0, 5), array('<head', '<scri', '<text', '<opti', '<outp', '<inpu', 'value', 'label', 'data-'))) {

...result in the HTML getting split on the <header> tag and then email addresses following that tag are not encoded.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Similar Content

    • By MarkE
      This fieldtype and inputfield bundle was built for storing measurement values within a field, rendering them in a variety of formats and converting them to other units or otherwise modifying them via the API.
      The API consists of a number of predefined functions, some of which include...
      render() for rendering the measurement object, valueAs() for converting the value to another unit value, convertTo() for converting the whole measurement object to different units, and add() and subtract() for creating a new measurement object from the sum or difference between two other objects. In the admin the inputfield includes a checkbox (which can be optionally disabled) for converting values on page save. For an example if a value was typed in as centimeters, the unit was changed to metres, and the page saved with this checkbox selected, said value would be automatically converted so that e.g. 170 cm becomes 1.7 m.
      A simple length field using Fieldtype Measurement and Inputfield Measurement.
      Combination units (e.g. feet and inches) are also supported.
      Please note that this module is 'proof of concept' at the moment - there are limited units available and quite a lot of code tidying to do. More units will be added shortly.
      See the GitHub at https://github.com/MetaTunes/FieldtypeMeasurement for full details and updates.
    • By tcnet
      File Manager for ProcessWire is a module to manager files and folders from the CMS backend. It supports creating, deleting, renaming, packing, unpacking, uploading, downloading and editing of files and folders. The integrated code editor ACE supports highlighting of all common programming languages.

      This module is probably the most powerful module. You might destroy your processwire installation if you don't exactly know what you doing. Be careful and use it at your own risk!
      ACE code editor
      This module uses ACE code editor available from: https://github.com/ajaxorg/ace

      This module uses the JavaScript dragscroll available from: http://github.com/asvd/dragscroll. Dragscroll adds the ability to drag the table horizontally with the mouse pointer.
      PHP File Manager
      This module uses a modified version of PHP File Manager available from: https://github.com/alexantr/filemanager
    • By tcnet
      This module implements the website live chat service from tawk.to. Actually the module doesn't have to do much. It just need to inserted a few lines of JavaScript just before the closing body tag </body> on each side. However, the module offers additional options to display the widget only on certain pages.
      Create an account
      Visit https://www.tawk.to and create an account. It's free! At some point you will reach a page where you can copy the required JavaScript-code.

      Open the module settings and paste the JavaScript-code into the field as shown below. Click "Submit" and that's all.

      Open the module settings
      The settings for this module are located int the menu Modules=>Configure=>LiveChatTawkTo.

    • By tcnet
      Session Viewer is a module for ProcessWire to list session files and display session data. This module is helpful to display the session data of a specific session or to kick out a logged in user by simply delete his session file. After installation the module is available in the Setup menu.

      The following conditions must be met for the module to work properly:
      Session files
      Session data must be stored in session files, which is the default way in ProcessWire. Sessions stored in the database are not supported by this module. The path to the directory where the session files are stored must be declared in the ProcessWire configuration which is by default: site/assets/sessions.
      Serialize handler
      In order to transform session data easier back to a PHP array, the session data is stored serialized. PHP offers a way to declare a custom serialize handler. This module supports only the default serialize handlers: php, php_binary and php_serialize. WDDX was dropped in PHP 7.4.0 and is therefore not supported by this module as well as any other custom serialize handler. Which serialize handler is actually used you can find out in the module configuration which is available under Modules=>Configure=>SessionViewer.

      Session data
      The session data can be displayed in two different ways. PHP's default output for arrays print_r() or by default for this module nice_r() offered on github: https://github.com/uuf6429/nice_r. There is a setting in the module configuration if someone prefers print_r(). Apart from the better handling and overview of the folded session data the output of nice_r() looks indeed nicer.

      ProcessWire module directory
    • By Robin S
      Repeater Easy Sort
      Adds a compact "easy-sort" mode to Repeater and Repeater Matrix, making those fields easier to sort when there are a large number of items.
      The module also enhances Repeater Matrix by allowing a colour to be set for each matrix type. This colour is used in the item headers and in the "add new" links, to help visually distinguish different matrix types in the inputfield.
      A Repeater field

      A Repeater Matrix field with custom header colours

      Easy-sort mode
      Each Repeater/Matrix item gets an double-arrow icon in the item header. Click this icon to enter easy-sort mode.
      While in easy-sort mode:
      The items will reduce in width so that more items can be shown on the screen at once. The minimum width is configurable in the field settings. Any items that were in an open state are collapsed, but when you exit easy-sort mode the previously open items will be reopened. You can drag an item left/right/up/down to sort it within the items. The item that you clicked the icon for is shown with a black background. This makes it easier to find the item you want to move in easy-sort mode. You can click an item header to open the item. An "Exit easy-sort mode" button appears at the bottom of the inputfield. Configuration
      In the field settings for Repeater and Repeater Matrix fields you can define a minimum width in pixels for items in easy-sort mode. While in easy-sort mode the items will be sized to neatly fill the available width on any screen size but will never be narrower than the width you set here.
      In the field settings for Repeater Matrix you can define a custom header colour for each matrix type using an HTML "color" type input. The default colour for this type of input is black, so when black is selected in the input it means that no custom colour will be applied to the header.
      The easy-sort mode is only possible on Repeater/Matrix fields that do not use the "item depth" option.
  • Create New...