Escape () method, which is used to escape any character that cannot be sent correctly in clear text. For example, a space in a phone number is converted to character% 20, which allows the characters to be passed in the URL.
Http://localhost:8080/a?name= "+escape (" AA ") +" &password= "+escape (" People's Republic of China ");
alert (s);
JS to encode the text involves 3 functions: Escape,encodeuri,encodeuricomponent, the corresponding 3 decoding function: unescape,decodeuri,decodeuricomponent
1, passing parameters need to use encodeuricomponent, so that the combined URL will not be # and other special characters truncated.
For example: <script language= "JavaScript" >document.write (' <a href= ' http://passport.baidu.com/?logout&aid=7 & u= ' +encodeuricomponent ("http://cang.baidu.com/bruce42") + ' "> Exit </a& gt; '); </script>
2, the URL to jump when you can use the whole encodeURI
For example: Location.href=encodeuri ("http://cang.baidu.com/do/s?word= Baidu &ct=21");
3, JS Use the data can use escape
For example: Search the history record of the Tibetan.
4, Escape to the Unicode value other than 0-255 to encode the output%u**** format, in other cases escape,encodeuri,encodeuricomponent encoding results are the same.
The most used should be encodeuricomponent, which is to convert the Chinese, Korean and other special characters into the utf-8 format of the URL encoding, So if you need to use encodeURIComponent to pass parameters to the background, you need the background decoding to Utf-8 support (the encoding in form is the same as the current page encoding method)
Escape does not encode characters with 69: *,+,-,.,/,@,_,0-9,a-z,a-z
encodeURI does not encode 82 characters:!,#,$,&, ', (,), *,+,,,-,.,/,:,;,=,?,@,_,~,0-9,a-z,a-z
encodeURIComponent does not encode 71 characters:!, ', (,), *,-,.,_,~,0-9,a-z,a-z
Escape (str) method, which is used to escape any character that cannot be sent correctly in clear text. For example, a space in a phone number will be converted to character% 20, allowing these characters to be passed in the URL
If you need to send security information or XML, you might want to consider sending content using Send () (Security data and XML messages will be discussed in subsequent articles in this series). If you do not need to pass data through send (), simply pass NULL as a parameter to the method.
The escape in JS can encrypt the data
Web site is the most annoying is their hard to write out of the client IE running JavaScript code is often easily copied by others, really let their hearts a little taste, to know that they write something also quite tired.
But we should also clearly realize that because the JavaScript code is interpreted in IE, to absolute secrecy is impossible, we have to do as much as possible to increase the copy of the difficulty of copying, let him quit (hopefully ~!~),
For example, encrypt the following JavaScript code:
<script language= "JavaScript" >
Alert ("Hacker line of Defense");
</SCRIPT>
One: The simplest encryption and decryption
For JavaScript functions Escape () and unescape () must be more understanding (many Web encryption is used in them), respectively, encoding and decoding strings, such as the example code with the Escape () function is encrypted to the following format:
alert%28%22%u9ed1%u5ba2%u9632%u7ebf%22%29%3b
How is it? You know what you're looking for? Of course one of the ASCII characters "alert" is not encrypted, and if willing we can write some JavaScript code to re-encrypt it as follows:
%61%6c%65%72%74%28%22%u9ed1%u5ba2%u9632%u7ebf%22%29%3b
Oh! How is it? It's completely encrypted this time!
Of course, such encrypted code is not directly run, fortunately, there is eval (codestring) available, the function is to check the JavaScript code and execute, the required option codestring parameter is a string value containing valid JavaScript code, With the above decoding unescape (), the results of the encryption are as follows:
<script language= "JavaScript" >
var code=unescape ("%61%6c%65%72%74%28%22%u9ed1%u5ba2%u9632%u7ebf%22%29%3b");
Eval (code)
</SCRIPT>
Isn't it simple? Do not be happy, decryption is the same simple, decryption code is placed to others (Unescape ())! Oh
Second: The magic of escape character "\"
You may not be familiar with the escape character "\", but there are some special characters such as for javascript: \ n (line break), \ r (carriage return), \ ' (single quote), etc. should you know something about it? In fact, "\" can be followed by octal or hexadecimal digits, such as the character "a" can be expressed as: "\141" or "\x61" (note is the lowercase character "x"), as for the double-byte character such as kanji "black" can only be used in hexadecimal notation "\u9ed1" (note that the lowercase character "u"), where the character "U" means a double-byte character, according to this principle example code can be expressed as:
The octal escape string is as follows:
<script language= "JavaScript" >
Eval ("\141\154\145\162\164\50\42\u9ed1\u5ba2\u9632\u7ebf\42\51\73")
</SCRIPT>
The hexadecimal escape string is as follows:
<script language= "JavaScript" >
Eval ("\x61\x6c\x65\x72\x74\x28\x22\u9ed1\u5ba2\u9632\u7ebf\x22\x29\x3b")
</SCRIPT>
This time there is no decoding function, because JavaScript executes itself, the same decoding is very simple as follows:
<script language= "JavaScript" >
Alert ("\x61\x6c\x65\x72\x74\x28\x22\u9ed1\u5ba2\u9632\u7ebf\x22\x29\x3b")
</SCRIPT>
Three: Encode with Microsoft-produced Scripting Encoder Script Encoder
The use of tools is not much introduced! I am using JavaScript directly to call the control Scripting.encoder to complete the encoding! The code is as follows:
<script language= "JavaScript" >
var senc=new activexobject ("Scripting.encoder");
var code= ' <script language= "JavaScript" >\r\nalert ("hacker defense");\r\n<\/script> ';
var encode=senc.encodescriptfile (". htm", code,0, "");
alert (Encode);
</SCRIPT>
The result of the encoding is as follows:
<script language= "Jscript.encode" >#@~^[email protected]#@&ls DD ' J Hacker Defense R#[email protected]#@&fgmaaa==^ #[email protected]</script>
Ugly enough, you know? But the corresponding decryption tool has already come out, and even decrypt the page has! Because of its decryption page code too much, I do not say more pull! Let me introduce my original decryption code, as follows:
<script language= "Jscript.encode" >
function decode () {
#@~^[email Protected]#@&ls DD ' J Hacker Defense R#[email Protected]#@&fgmaaa==^#[email protected]
}
Alert (decode.tostring ());
</SCRIPT>
How? Simple enough, huh? It is the principle is: After the code run IE will decode it first, if we first put the encrypted code into a custom function such as the above Decode (), and then to the custom function decode call the ToString () method, the resulting will be decoded code!
If you think that the code language attribute is Jscript.encode, it is easy to see through, then there is a nearly unknown Window object Method Execscript (), the prototype is:
Window.execscript (Sexpression, slanguage)
Parameters:
Sexpression: Required option. String. The code to be executed.
Slanguage: Required option. String. Specifies the language of the code to execute. Default value is Microsoft JScript
When used, the front "window" can be omitted without writing!
With it we can run the coded JavaScript code very well, as follows:
<script language= "JavaScript" >
ExecScript ("#@~^[email protected]#@&ls DD ' J Hacker Defense R#[email Protected]#@&fgmaaa==^#[email protected]", " Jscript.encode ")
</SCRIPT>
You can use the method two to the "" number within the string to encode, so that "Jscript.encode" and the code signature "#@~^" does not appear, the effect will be better!
Four: Add any nul null character (hex 00H)
An accidental experiment, so that I found anywhere in the HTML page to add any number of "empty character", ie will still display the contents of the normal, and normal execution of the JavaScript code, and add "empty character" when we look at the general editor, it will show the shape of a space or black block, Make the original code difficult to understand, such as using Notepad to view the "empty character" will become a "space", using this principle to encrypt the result is as follows: (where the "space" to represent "null character")
<s C RI P t L ANG U A G E = "J a V a S C r i P T" >
A l ER t ("hacker defenses");
</SC R I P t>
How is it? Does it look a mess? It's hard to think of the "empty character" (00H) inside if you don't know the method!
Five: Useless content confusion and newline space tab DAFA
In JavaScript code we can add a large number of useless strings or numbers, as well as useless code and comment content, and so on, so that the real useful code buried in it, and the useful code can be added to line, space, tab, add a lot of lines, spaces, tab, and you can use the normal string "\ "To make line breaks, which makes the code difficult to read!" As I encrypt after the form as follows:
<script language= "JavaScript" >
"Xajgxsadffgds"; 1234567890
625623216;var $=0;alert//@$%%&* (& (^%^
CCTV function//
(//HHSAASAJX XC
/*
asjgdsgu*/
Black
\
Guests
Line of defense "//ASHJGFGF
/*
@#%$^&%$96667r45fggbhytjty
*/
Window
)
;" #@$#%@ #432hu "; 212351436
</SCRIPT>
At least if I see this code is not going to have the mind to analyze it, where are you?
Six: Self-write decryption function method
This method is similar to one or two, just write a function to decrypt the code, many VBS viruses use this method to encrypt themselves, to prevent signature scanning! Here is a simple cryptographic decryption function I wrote,
The encryption code is as follows (detailed reference file "encrypt. htm"):
<script language= "JavaScript" >
function compile (code)
{
var c=string.fromcharcode (code.charcodeat (0) +code.length);
for (Var i=1;i<code.length;i++) {
C+=string.fromcharcode (Code.charcodeat (i) +code.charcodeat (i-1));
}
Alert (Escape (c));
}
Compile (' Alert ' ("Hacker Defense");
</SCRIPT>
Run to get encrypted results as:
O%cd%d1%d7%e6%9cj%u9ef3%ufa73%uf1d4%u14f1%u7ee1kd
The code that is decrypted after the corresponding encryption is as follows:
<script language= "JavaScript" >
function Uncompile (code)
{
Code=unescape (code);
var c=string.fromcharcode (code.charcodeat (0)-code.length);
for (Var i=1;i<code.length;i++) {
C+=string.fromcharcode (Code.charcodeat (i)-c.charcodeat (i-1));
}
return C;
}
Eval (uncompile ("O%CD%D1%D7%E6%9CJ%U9EF3%UFA73%UF1D4%U14F1%U7EE1KD"));
</SCRIPT>
Seven: the wrong use
The code is tested and decrypted using the Try{}catch (e) {} structure, although the idea is very good (hehe, boast yourself), because the practicality is not big, I just give an example
<script language= "JavaScript" >
var a= ' alert ("Hacker line of Defense");
var c= "";
for (Var i=0;i<a.length;i++) {
C+=string.fromcharcode (A.charcodeat (i) ^61);}
alert (c);
The above is the encryption code, of course, if you really use this method, the encryption will not be written on the
Now the variable c is the encrypted code.
The following function T () First assumes that the initial password is 0, decryption is performed,
If an error is encountered, add 1 to the password and then decrypt execution until it runs correctly.
var d=c; Save the encrypted code
var b=0; Assuming an initial password of 0
T ();
function T () {
Try{eval (c);} catch (e) {
C= "";
for (Var i=0;i<d.length;i++) {
C+=string.fromcharcode (D.charcodeat (i) ^b);}
B+=1;
T ();
SetTimeout ("t ()", 0);
}
}
</SCRIPT>
The usage of escape in JS----simple encryption on the front page