Fix #1907 – Obfuscate contact email addresses in public HTML (#5477)

* Include nix development enviornment * Obfuscate contact email addresses in shop HTML and deanonymize via JavaScript This change addresses #1907: "hide contact e-mail address in source code of a shop". - Contact email addresses rendered in public-facing templates are now obfuscated in the HTML source (e.g., replacing "@" with "[at]" and "." with "[dot]"). - A new JavaScript file is included in the relevant templates to automatically rewrite and restore the email address for users after the page loads. - This approach helps protect email addresses from basic harvesting bots and reduces spam, while keeping them accessible and user-friendly for human visitors. - The obfuscation and deanonymization logic is only applied to web templates, not to emails sent via pretix. This implementation follows the recommendations discussed in #1907, using a standardized, maintainable approach that’s compatible with pretix's asset pipeline and template structure. * Undo nix development environment for merge into main * convert complete mailto-link to HTML entities * remove gitignore noise * Update .gitignore * fix gitignore noise * Update .gitignore --------- Co-authored-by: Richard Schreiber <schreiber@rami.io>
2026-02-27 08:50:33 +01:00
parent a25bca7471
commit 2066471086
5 changed files with 25 additions and 2 deletions
--- a/src/pretix/base/templatetags/anonymize_email.py
+++ b/src/pretix/base/templatetags/anonymize_email.py
@@ -0,0 +1,13 @@
+from django import template
+from django.utils.html import mark_safe
+
+register = template.Library()
+
+
+@register.filter("anon_email")
+def anon_email(value):
+    """Replaces @ with [at] and . with [dot] for anonymization."""
+    if not isinstance(value, str):
+        return value
+    value = value.replace("@", "[at]").replace(".", "[dot]")
+    return mark_safe(''.join(['&#{0};'.format(ord(char)) for char in value]))
--- a/src/pretix/presale/templates/pretixpresale/event/base.html
+++ b/src/pretix/presale/templates/pretixpresale/event/base.html
@@ -6,6 +6,7 @@
 {% load eventurl %}
 {% load safelink %}
 {% load rich_text %}
+{% load anonymize_email %}
 {% block thetitle %}
    {% if messages %}
        {{ messages|join:" " }} :: 
@@ -219,7 +220,7 @@
 {% endblock %}
 {% block footernav %}
    {% if request.event.settings.contact_mail %}
-        <li><a href="mailto:{{ request.event.settings.contact_mail }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
+        <li><a href="{{ 'mailto:'|add:request.event.settings.contact_mail|anon_email }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
    {% endif %}
    {% if request.event.settings.privacy_url %}
        <li><a href="{% safelink request.event.settings.privacy_url %}" target="_blank" rel="noopener">{% trans "Privacy policy" %}</a></li>
--- a/src/pretix/presale/templates/pretixpresale/fragment_js.html
+++ b/src/pretix/presale/templates/pretixpresale/fragment_js.html
@@ -21,4 +21,5 @@
    <script type="text/javascript" src="{% static "pretixpresale/js/ui/cart.js" %}"></script>
    <script type="text/javascript" src="{% static "pretixpresale/js/ui/iframe.js" %}"></script>
    <script type="text/javascript" src="{% static "pretixbase/js/addressform.js" %}"></script>
+    <script type="text/javascript" src="{% static "pretixbase/js/deanonymize_email.js" %}"></script>
 {% endcompress %}
--- a/src/pretix/presale/templates/pretixpresale/organizers/base.html
+++ b/src/pretix/presale/templates/pretixpresale/organizers/base.html
@@ -5,6 +5,7 @@
 {% load thumb %}
 {% load eventurl %}
 {% load safelink %}
+{% load anonymize_email %}
 {% block thetitle %}
    {% block title %}{% endblock %}{% if url_name != "organizer.index" %} :: {% endif %}{{ organizer.name }}
 {% endblock %}
@@ -97,7 +98,7 @@
 {% endblock %}
 {% block footernav %}
    {% if not request.event and request.organizer.settings.contact_mail %}
-        <li><a href="mailto:{{ request.organizer.settings.contact_mail }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
+        <li><a href="{{ 'mailto:'|add:request.organizer.settings.contact_mail|anon_email }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
    {% endif %}
    {% if not request.event and request.organizer.settings.privacy_url %}
        <li><a href="{% safelink request.organizer.settings.privacy_url %}" target="_blank" rel="noopener">{% trans "Privacy policy" %}</a></li>
--- a/src/pretix/static/pretixbase/js/deanonymize_email.js
+++ b/src/pretix/static/pretixbase/js/deanonymize_email.js
@@ -0,0 +1,7 @@
+document.addEventListener('DOMContentLoaded', function() {
+    document.querySelectorAll('a[href^="mailto:"]').forEach(function(link) {
+        // Replace [at] with @ and the [dot] with . in both the href and the displayed text (if needed)
+        link.href = link.href.replace('[at]', '@').replace('[dot]', '.');
+        link.textContent = link.textContent.replace('[at]', '@').replace('[dot]', '.');
+    });
+});