How to Hide/Encrypt HTML Source Code

Developers are increasingly concerned for the security of their websites. Hence most of the developers want to hide their HTML code.

Though it is impossible to hide HTML source code, you can make it unreadable by simply using encryption and decryption techniques or disable mouse right click using JavaScript.

Let’s see Right Click Disable Method with a random code as follows:

<SCRIPT TYPE=”text/javascript”>
var msg=”You cannot use right click on this page.”;
function clickIE() {if (document.all) {( msg);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {( msg);return false;}}}
if (document.layers)
document.oncontextmenu=new Function(“return false”)

Though this code helps you to disable right click of mouse on your page but if JavaScript is disabled on client’s browser, the right click of the mouse is enabled by default. Hence we need to take adequate security measures.

In next method, we will discuss encryption and decryption techniques in JavaScript with keys.

Following is the example with encryption and decryption of HTML source code in ASP:

<%@ Language=VBScript %>
<SCRIPT language=”javascript” runat=”server”>
function encodestr(s,k) {
var sl=s.length;
var kl=k.length;
for(encodestr =”,i=0; i<sl; i++) {
var encodedChar=s.charCodeAt(i)^k.charCodeAt(i%kl);
encodestr += String.fromCharCode((encodedChar & 0x0F) + 97) + String.fromCharCode((encodedChar >> 4) + 97);
return encodestr;

Above JavaScript is run at server side called “encodestr” that has two parameters namely “s” which is the string to be encoded and “k” is the key for encoding.

set objHttp = Server.CreateObject(“Msxml2.ServerXMLHTTP”) “GET”, “”, false
objHttp.setRequestHeader “Content-type”, “application/x-www-form-urlencoded”
resp = objHttp.responseText

Above code is the ASP code which collects “” HTML format code and stores in “resp” variable in string format which is further encoded using “encodestr” and stored again in same variable.

<SCRIPT type=”text/javascript”>
function decodestr(s,k) {
var sl=s.length;
var kl=k.length;
for(decodestr =”,i=0, j=0; i<sl; i+=2, j++) {
decodestr += String.fromCharCode(((s.charCodeAt(i) – 97) + ((s.charCodeAt(i+1) – 97) << 4))^k.charCodeAt(j%kl));
return decodestr;

Above mentioned JavaScript is run at the client side. The function “decodestr” also has two parameters, ”s” which is the string to be decoded and “k” is the key for decoding which must be same as used for encoding.

<SCRIPT type=”text/javascript”>
document.write(<%= “decodestr(“”"&resp&”"”,”"key”")”%>);

The script syntax mentioned above sends the encoded string to “decodestr” and return string is written by document.write.

By using the above method you will get HTML source code in encrypted format which is not easily readable. You can use both of the above techniques for better security.

You can use your own technique for encryption and decryption but be sure that encryption code is not visible at client’s browser. For this you can use “runtat=’server’” attribute in your JavaScript function.


This entry was posted in Security and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply