惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News - Newest:
Hacker News - Newest: "LLM"
Webroot Blog
Webroot Blog
S
Security @ Cisco Blogs
H
Heimdal Security Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
www.infosecurity-magazine.com
www.infosecurity-magazine.com
N
News and Events Feed by Topic
H
Hacker News: Front Page
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
SecWiki News
SecWiki News
N
News | PayPal Newsroom
T
Tor Project blog
W
WeLiveSecurity
A
Arctic Wolf
Security Archives - TechRepublic
Security Archives - TechRepublic
S
Secure Thoughts
月光博客
月光博客
AWS News Blog
AWS News Blog
D
Docker
C
CERT Recently Published Vulnerability Notes
MyScale Blog
MyScale Blog
Google Online Security Blog
Google Online Security Blog
大猫的无限游戏
大猫的无限游戏
T
The Blog of Author Tim Ferriss
I
InfoQ
人人都是产品经理
人人都是产品经理
Recent Announcements
Recent Announcements
Google DeepMind News
Google DeepMind News
Hacker News: Ask HN
Hacker News: Ask HN
Blog — PlanetScale
Blog — PlanetScale
博客园 - 【当耐特】
Engineering at Meta
Engineering at Meta
Stack Overflow Blog
Stack Overflow Blog
Recorded Future
Recorded Future
罗磊的独立博客
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
The Exploit Database - CXSecurity.com
D
DataBreaches.Net
S
Security Affairs
WordPress大学
WordPress大学
T
Threatpost
Microsoft Security Blog
Microsoft Security Blog
V
Vulnerabilities – Threatpost
The Hacker News
The Hacker News
S
SegmentFault 最新的问题
B
Blog RSS Feed
Project Zero
Project Zero
P
Proofpoint News Feed

Hacker News

randoFont GitHub - onehorizonai/silo-terminal: A dark phosphor Apple Terminal profile inspired by the sealed systems and green-blue screens of Silo. GitHub - unihosted/unifi-os-server-docker Show HN: Onboard-CLI–a fast developer tool built in Go uses AST and LLM Show HN: Finterm.ai Finance CLI for Claude Code and Codex Show HN: Codex Explorer,一款用于 Codex CLI 的本地会话管理器 Pylon — full-stack framework for coding agents GitHub - Corgea/Sighthound: Corgea's rule-based SAST scanner Kastra | Execution Governance for AI Systems devthropology.com Embersent — Know Exactly Who Read Your Document GodUI — UI Collection for Modern Interfaces Show HN: Reverse-engineering web apps into agent tools GitHub - Kuberwastaken/subagentmaxxing: Drive OpenAI Codex & Cursor CLI coding agents as subagents with the same ergonomics as native Claude Code subagents (grok-4.5, composer-2.5, gpt-5.5). Uniform run/fanout CLI + Claude Code skill. Aside Today I’m launching papercrane-cli: a BI tool built for Claude Code | Papercrane Blog Strata - Guess the City from a 3D Map a dark terminal Blocks.ai | Connect your agent to the world. Noticky — Sticky Notes & Always-on-Top Windows for Mac Make the hard day easier for the people you love CASHFLOW — Debt Network Optimizer 0 A.D.: Empires Ascendant FormGrid - Create Delightful Forms & Surveys for Free Codapult — Everything Your SaaS Needs, Already Wired Together LaTeX Diff Viewer - GitHub Marketplace LinguaGuessr analog.watch Estimania — Daily Estimation Game I Replaced Whisper with Parakeet on a $55/Month CPU Server. Here Is What Actually Happened. HyperSwitcher – Mac App & Window Switcher CLERC-DATA/epee · Datasets at Hugging Face GitHub - gladiaio/gladia-cli EvenKeel — your money coach BareMetalRT — Bare Metal AI Build a Second Brain That Actually Remembers Why It Changed Tokenstead - Find AI Models for Your Hardware Fideby - Standing by the people you trust, when you can rubber duck GitHub - forgedculture/legibility-field-kit GitHub - ronak-create/FableCut: Zero-dependency browser video editor that AI agents can drive — JSON timeline, MCP + REST, live-reloading UI GitHub - BuceaGeorgia/VIRENA: A minimal Vision-Language-Action model you can read: frozen CLIP + a tiny head on ManiSkill PickCube. Runs on a Mac, no GPU. Fehu - Apps on Google Play GitHub - fresswolf/Slopera: The browser for the slop era Release Kiyeovo 1.0.0 · Realman78/Kiyeovo Noema — AI Company Analysis GitHub - hamidi-dev/opentab: 📊 Browse your AI coding spend in the terminal — OpenCode, Claude Code, Codex & more GitHub - sgInnora/wc2026-prediction-ledger: Receipt-verified AI prediction ledger for World Cup 2026: pre-kickoff sha256-locked forecasts scored vs results, with calibration + market baselines. Live: goalpulse.io/open-data GitHub - michaelwrites67-ctrl/yogen: 予言 Yogen — a 500-agent AI swarm that debates your idea and predicts the outcome. Self-host free with your own Anthropic key. GitHub - teddytennant/wizard: Self-extending autonomous agent in one Rust binary. One-line install, any provider (OpenAI-compatible, Anthropic, xAI) or fully local via llama.cpp, live /evolve self-modification, MCP, messaging gateway, built-in bench arcaide.foo Show HN: Android Developer Verification Package blacklisted in Aurora Store OpenDescent: Private messaging for normal people GitHub - tarunlnmiit/autopilot-jobhunt: AI job agent: scans 130+ careers pages nightly, scores every role against your resume with an LLM (0–100), alerts you on Telegram, and drafts tailored cover letters + resumes. Free & open source. 18 Words - Daily Word Challenge The State of US Local Government Accessibility 2026 flow - Real-time network throughput dashboard for the terminal. - Terminal Trove Battle LLM Robots GitHub - robesris/ffvii-realtime: Speed up Final Fantasy VII (Rebirth / Remake / Revelation) Tactical Mode slow-motion so combat plays at real-time speed Agent Sessions - Local History for AI Coding Agents Scrutora — code, cloud & consent compliance in one platform SoulOS Tutorials GitHub - gaemi/agentic-fc: Open-source football management simulation played by AI agents through MCP and watched through a TUI console. GitHub - talalalrwas/ocr-grab: Flameshot clone that adds OCR. GitHub - JustVugg/colibri: Run GLM-5.2 (744B MoE) on a 25GB-RAM consumer machine — pure C, zero deps, experts streamed from disk. Tiny engine, immense model. 🐦 GitHub - saifmukhtar/kinetic figment computer linear.gratis - Free Linear Client Feedback Forms GitHub - atelier-ws/atelier: Runtime for coding agents. Models are getting smarter, but a model is only as capable as the environment supporting it. Atelier is that environment. https://atelier.ws Atlas · Tomesphere | Tomesphere Codenames Generator GitHub - lyfeninja/lyfeninja_blkseal_python_sdk: Lightweight Python client for signing and verifying digital content using lyfe.ninja's BlkSeal product powered by BlkBolt™. Designed for zero dependencies, simple integration, and exact content verification. DateTimeMate OpenScreenShot — Full-page screenshot & annotation tool for Chrome 38-0 — Build Your Premier League Dream Team Cyrinx — data over sound, measured GitHub - BhaveshThapar/mcp-audit HN Work GitHub - Northwood-Systems/foreman: Self-hosted LLM gateway. Cost effective, deterministic, and fast. Secure and private by default. A Visualization Language for the AI Era GitHub - weirdGuy/kastor: Declarative language and toolchain for AI agents: define agents, tools and prompts in HCL, then compile to frameworks or manage them on hosted platforms with plan/apply semantics. Abralo - Run multiple Claude Code agents in one window GitHub - mehranzand/repofleet: RepoFleet is an issue-centered CLI tool for managing Git workflows across multiple repositories. Pug — Open Source Product Analytics Chiptune Radio — Aleph Void, LLC Free Mermaid Live Editor & Diagram Maker Davit — a native macOS UI for Apple containers GitHub - rowboatlabs/rowboat: Open-source AI coworker, with memory Yamanote.fun PostgreSQL on AWS: Size & Benchmark EC2 Instances GitHub - Rodiun/frugon: Free, local, open-source LLM cost analyzer — see where your LLM bill leaks, on your machine. WhimFiles - Find Any File in Seconds Agent Draw: An agent draws while you talk, built on TLDraw Neil the Seal GitHub - animesh-94/Onboard-CLI: An AST-powered, local-first CLI that visualizes complex system architectures and enforces architectural boundaries via instant Git hooks. ridealong — live London trains Clusy | Agent-Native Notebook for ML and Data Science snowscroll · Instagram, without the spiral. GitHub - vishal-dehurdle/state-harness: Runtime safety net for LLM agents. Detects token spirals, kills doomed tasks early, tells you exactly why. Rust core, Python SDK. pip install state-harness GitHub - DO-SAY-GO/freelang: I love freelang
GitHub - hirasso/html-obfuscator: Obfuscate emails, phone numbers, and other sensitive data in PHP. Invisible to humans, hidden from bots until they interact.
rasso · 2026-07-08 · via Hacker News

Latest Version on Packagist Test Status Code Coverage

Obfuscate emails, phone numbers, and other sensitive data in PHP. Invisible to humans, hidden from bots until they interact.

html-obfuscator.rassohilber.com

Motivation

Contrary to popular belief, this article by Spencer Mortensen shows that even moderate obfuscation dramatically reduces email harvesting by spam bots. Most bots simply scan raw HTML and don't simulate user interaction.

Installation

# requires PHP >= 8.4
composer require hirasso/html-obfuscator

Minimal Example

Obfuscate emails and phone numbers in $html and automatically inject the client script that reveals <ob-fus-ca-ted> custom elements in the frontend:

use function Hirasso\HTMLObfuscator\obfuscate;

echo obfuscate($html);

Manually load the client script

By default, the client <script> is auto-injected into the document. If you want more control (e.g. want the script in the <head>), use clientScript() and echo it yourself:

use function Hirasso\HTMLObfuscator\obfuscate;
use function Hirasso\HTMLObfuscator\clientScript;

// 1. Render the script in your <head>
echo clientScript();

// 2. Obfuscate your HTML — script injection is skipped because it was already rendered
echo obfuscate($html);

Features

  • Framework agnostic — works in any PHP project, independent of framework or frontend toolchain
  • There is no visual difference between obfuscated and de-obfuscated content in the browser
  • Works seamlessly with dynamically loaded content (AJAX/fetch, swup, htmx, Unpoly, ...)
  • Works without configuration, but can be customized using a fluent API
  • Fully compatible with HTML5 (thanks to PHP 8.4's new \Dom\HTMLDocument and friends)
  • Doesn't interfere with accessibility
  • Extensively tested on both ends – PHP, JavaScript, e2e, basic benchmarks

How it works

On the server, PHP searches emails and phone numbers in the HTML (plain text or href attributes) using regex, obfuscates them using a randomly selected strategy, removes the original and injects a custom element in its place.

Text nodes

Matching parts get replaced with an obfuscated element and instructions how to reveal it:

<!-- before: -->
<p>Call us at +49 176 123 45 678.</p>

<!-- after: -->
<p>Call us at  <ob-fus-ca-ted value="..." aria-label="Interact with the page to reveal"><noscript>Please activate JavaScript</noscript></ob-fus-ca-ted>.</p>

Links with matching href attribute

Everything but the scheme is stripped from the href attribute. The link gets a hidden obfuscated element with [attr="href"] injected as a child:

<!-- before: -->
<a href="mailto:mail@example.com">
  Email us
</a>

<!-- after: -->
<a href="mailto:">
  <ob-fus-ca-ted attr="href" value="..." style="display: none;"></ob-fus-ca-ted>
  Email us
</a>

Note

The scheme in obfuscated href attributes is preserved to prevent a FOUC if links are styled using a[href^="mailto:"] or a[href^="tel:"]

What can JS-disabled crawlers see?

Instead of the original values, there are now obfuscated custom elements. One for each obfuscated href attribute, one for each plaintext value.

What can JS-enabled crawlers see?

Not much more, before interaction (pointermove, pointerdown, or keydown) was detected.

Custom elements representing a text node do decode the value immediately on connectedCallback, but render it into a closed shadow root that is completely visible to humans but cannot be accessed from JavaScript.

href attributes of obfuscated links also stay empty until interaction.

Fluent API

->emails(bool)

Keep emails unobfuscated

echo obfuscate($html)->emails(false);

->phoneNumbers(bool)

Keep phone numbers unobfuscated

echo obfuscate($html)->phoneNumbers(false);

->debug(bool)

Inject the client script unminified and with logging

echo obfuscate($html)->debug(true);

->setStrategy(string)

Pin the obfuscation algorithm instead of picking one at random each time:

use Hirasso\HTMLObfuscator\Obfuscation\XorStrategy;
use Hirasso\HTMLObfuscator\Obfuscation\RevStrategy;
use Hirasso\HTMLObfuscator\Obfuscation\Rot47Strategy;

echo obfuscate($html)->setStrategy(XorStrategy::class);
echo obfuscate($html)->setStrategy(RevStrategy::class);
echo obfuscate($html)->setStrategy(Rot47Strategy::class);

An \InvalidArgumentException is thrown for unknown strategy classes.

->withAriaLabel(?string)

Customize or disable the aria-label on each obfuscated element. Pass null to omit it entirely:

echo obfuscate($html)->withAriaLabel('Hidden contact info');
echo obfuscate($html)->withAriaLabel(null); // disable

->withNoscriptText(?string)

Customize or disable the <noscript> fallback inside each obfuscated element. Pass null to omit it:

echo obfuscate($html)->withNoscriptText('Please activate JavaScript');
echo obfuscate($html)->withNoscriptText(null); // disable

->withTagName(string)

Customize the tag name of the custom element

echo obfuscate($html)->withTagName('reveal-me');

->addRegex(string)

Add custom patterns to obfuscate text that the built-in patterns can't reach. A common case is an email address split across HTML elements to allow for a line break — the built-in email regex matches a single text node, so <span>verylongemailaddress@</span>example.com would slip through. You can target this specifically:

echo obfuscate($html)
    ->addRegex('/[^\s@]+@/') // obfuscate the <span> text node ("verylongemailaddress@")
    ->addRegex('/[^\s.]+(\.[^\s.]+)*\.[^\s.]{2,}/') // obfuscate the domain part ("example.com")
;

The pattern must be a valid PCRE regex with delimiters. Each call to ->addRegex() appends one pattern; you can chain as many as you need. An \InvalidArgumentException is thrown for invalid patterns.

Advanced

[obfuscate-text]

Add an obfuscate-text attribute to any element to obfuscate all of its text content — no pattern matching needed. This is a simpler alternative to ->addRegex() when you control the markup:

<span obfuscate-text><span>verylongemailaddress@</span>example.com</span>

Every text node inside is obfuscated wholesale, and the attribute is removed from the output:

<span>
  <span><ob-fus-ca-ted value="..."></ob-fus-ca-ted></span>
  <ob-fus-ca-ted value="..."></ob-fus-ca-ted>
</span>

The <ob-fus-ca-ted> elements handle deobfuscation as usual. Content inside <pre>, <code>, <script>, and other excluded elements is left untouched even when nested inside an [obfuscate-text] element.

Obfuscating a HTMLDocument

When passing a \Dom\HTMLDocument, the obfuscation is applied directly to the document:

use Dom\HTMLDocument;
use function Hirasso\HTMLObfuscator\obfuscate;

$doc = HTMLDocument::createFromString($html);
obfuscate($doc)->saveDocument();
// $doc is now obfuscated in place

Credits

Inspiration

Before writing this, I found a few existing solutions worth mentioning.

muddle is a PHP package with many interesting obfuscation strategies. But it relies on inline <script> tags for deobfuscation, which browsers won't execute when content is injected into the DOM dynamically (AJAX, fetch, ...). It also doesn't require interaction, so browser-based crawlers will be able to see the content immediately.

astro-obfuscate and astro-mail-obfuscation are both Astro integrations that handle obfuscation well within that ecosystem. But they're tied to the Astro build pipeline and don't translate outside of it. I adopted the idea with the fallbackText from the latter, though.

I needed something that works in any PHP project, independent of framework or frontend toolchain, with no visible flash during deobfuscation. Also, I this package gave me the excuse to play around with the tooling involved with building a robust FOSS package:

Tools used

PHPStan for static analysis. PHPUnit/Pest for feature and unit tests. Vitest for unit tests of the client script. Playwright for end-to-end tests. Changesets for changelog gneration. FTP-Deploy-Action for automatic deployment of the demo site on every release.

And last, but not least, Claude Code in combination with mattpocock/skills for grilling sessions and code quality improvements. Not sure if that actually saved or cost me development time 😅

→ Browse obfuscatorTest.php to see more usage examples.