So I’ve been working recently on a script to obfuscate client-side code for protecting intellectual property without interfering with the appearance or interactivity of the resulting page. The process is as follows:

1. HTTP request comes in, .htaccess redirects (.*) to parse_request.php
2. parse_request.php creates a "phpURLParser" class whose class variables are essentially copies of the $_SERVER variables
3. phpURLParser looks at the requested path, and sometimes the host, referer, or other server-side information to determine how to react. There are several possible responses

a. The requested object was a .js or .css file. Pass the file to the YUI Compressor and send the output

b. The requested object is an image or application. Pass the file with no change

c. The requested object contains HTML. Replace every ASCII character with its 2-digit hexadecimal equivalent and send the following javascript:

<script type="text/javascript">
var x="~lots of hex~";
var y="";
for(i=0; i<x.length; i+=2){
    y += unescape('%'+x.substr(i,2));
}
document.write(y);
</script>

So the website is replaced by a lot of hex and a small javascript to return the hex to its original form. I have an example of this setup at examples.chikachu.com/colorbox/example1 (I didn’t code ColorBox, it’s a free jQuery tool that I chose to use since it allowed me to test several different javascript features and make sure they all worked)

Now for the problem:

As it turns out, this works 99% of the time. But AJAX makes it angry. Clicking one of the AJAX examples (under "Other Content Types") will look like it redirects you to a new page. Looking in the address bar or viewing the page source will prove that you’re still on the same page, however. Using the Inspect Element tool in Chrome (or Firebug in Firefox) will reveal that the contents of the webpage were entirely replaced by the contents of the AJAX request.

If I modify parse_request.php slightly to allow the file requested by the AJAX to be passed through unharmed, everything works. No problem. So for some reason my script which replaces the string of hex with its meaningful HTML counterpart is overwriting the entire website instead of nicely inserting itself within the confines of a <div> object.

Essentially here’s the expected non-obfuscated HTML:

<html>
<head>
    ...
</head>
<body>
    <div id="colorbox">
        <INSERT AJAX HERE>
    </div>
    ...
</body>
</html>

With only the AJAX obfuscated, I expect the following:

<html>
<head>
    ...
</head>
<body>
    <div id="colorbox">
        <script type="text/javascript">
        var x="asdfasdfasdfasdf";
        var y="";
        for(i=0; i<x.length; i+=2){
            y += unescape('%'+x.substr(i,2));
        }
        document.write(y);
        </script>
    </div>
    ...
</body>
</html>

I expect that the document.write() line here will write y at the location of the javascript (within the <div>). If I’m mistaken and that’s not how document.write() works, I still expect it to write y at the end of the document. Instead, the entire document is replaced by y. Why is this, and what’s my solution?