feat: obfuscate all email addresses and mailto links as HTML entities

Added EmailObfuscator class (src/EmailObfuscator.php) that converts email addresses to HTML decimal entities (e.g. foo@...) so browsers render them correctly but bots and scrapers see gibberish. Methods: - email($addr): obfuscate for display in HTML content - mailto($addr): return obfuscated mailto: href - obfuscateHtml($html): post-process rendered HTML to obfuscate all mailto: links (used after Parsedown/Markdown rendering) Applied to: - partage/index.php: mailto link at top + error scenarios via _flash_contact flag rendered in form.php (outside htmlspecialchars to avoid double-escape) - admin/acces.php: request email mailto links - admin/file-access.php: request email mailto links - public/about.php: contact email mailto links - public/tfe.php: author contact mailto links - AboutController: Parsedown output post-processing - LicenceController: Parsedown output post-processing - Dispatcher::render(): require_once EmailObfuscator for all public views Also fixed _flash_contact session flag in form.php partial to show contact email line on share link validation errors (separate from flash_error/warning to bypass htmlspecialchars double-escaping).
2026-06-26 08:39:18 +02:00 · 2026-05-10 14:51:37 +02:00
parent ab6e266807
commit 38dc8de9d8
14 changed files with 159 additions and 19 deletions
--- a/app/templates/admin/acces.php
+++ b/app/templates/admin/acces.php
@@ -181,6 +181,19 @@
 +%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
 +\\\\\\\        to: kvyyvksn c5873f06 "fix: add help email, preserve file names on validation error, license fix" (rebased revision)
 ++                        $linkName = $link['name'] ?? '';
++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: kvyyvksn c5873f06 "fix: add help email, preserve file names on validation error, license fix" (rebased revision)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
+-                        $linkName = $link['name'] ?? '';
+-                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: somsyvxz 14a3cd10 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebase destination)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: roqtyzln d714ae9b "feat: obfuscate all email addresses and mailto links as HTML entities" (rebased revision)
+                         $linkName = $link['name'] ?? '';
+                         $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+                         $linkLockedYear = $link['locked_year'] ?? null;
+%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
+\\\\\\\        to: roqtyzln 34d91340 "feat: obfuscate all email addresses and mailto links as HTML entities" (rebased revision)
++                        $linkName = $link['name'] ?? '';
 ++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
                    ?>
                    <tr class="admin-table-row" onclick="event.stopPropagation(); window.open('/partage/<?= urlencode($link['slug']) ?>', '_blank')" style="cursor:pointer">
@@ -367,9 +380,7 @@
                            <div class="access-req-card__info">
                                <div>
                                    <strong>Email :</strong>
-                                    <a href="mailto:<?= htmlspecialchars($req['email']) ?>">
-                                        <?= htmlspecialchars($req['email']) ?>
-                                    </a>
+                                    <a href="<?= EmailObfuscator::mailto($req['email']) ?>"><?= htmlspecialchars($req['email']) ?></a>
                                </div>
                                <div>
                                    <strong>Date :</strong>
--- a/app/templates/admin/file-access.php
+++ b/app/templates/admin/file-access.php
@@ -59,9 +59,7 @@
                        <div class="access-req-card__info">
                            <div>
                                <strong>Email :</strong>
-                                <a href="mailto:<?= htmlspecialchars($req['email']) ?>">
-                                    <?= htmlspecialchars($req['email']) ?>
-                                </a>
+                                <a href="<?= EmailObfuscator::mailto($req['email']) ?>"><?= htmlspecialchars($req['email']) ?></a>
                            </div>
                            <div>
                                <strong>Date :</strong>
--- a/app/templates/partials/form/form.php
+++ b/app/templates/partials/form/form.php
@@ -110,10 +110,12 @@ $checkedFormatsForSiteWeb = $checkedFormatsForSiteWeb ?? [];
    $flashError = $_SESSION["_flash_error"] ?? null;
    $flashWarning = $_SESSION["_flash_warning"] ?? null;
    $flashSuccess = $_SESSION["_flash_success"] ?? null;
+    $flashContact = $_SESSION["_flash_contact"] ?? false;
    unset(
        $_SESSION["_flash_error"],
        $_SESSION["_flash_warning"],
        $_SESSION["_flash_success"],
+        $_SESSION["_flash_contact"],
    );
    ?>
    <?php if ($flashError): ?>
@@ -127,6 +129,13 @@ $checkedFormatsForSiteWeb = $checkedFormatsForSiteWeb ?? [];
    ) ?></div>
    <script>document.addEventListener('DOMContentLoaded',function(){var el=document.getElementById('flash-warning');if(el){el.scrollIntoView({behavior:'smooth',block:'center'});el.focus();}});</script>
    <?php endif; ?>
+    <?php if ($flashContact && $mode === 'partage'): ?>
+    <?php require_once APP_ROOT . '/src/EmailObfuscator.php'; ?>
+    <div class="flash-info" role="alert">
+        Si le problème persiste, envoyez un e-mail à
+        <a href="<?= EmailObfuscator::mailto('xamxam@erg.be') ?>"><?= EmailObfuscator::email('xamxam@erg.be') ?></a>.
+    </div>
+    <?php endif; ?>
    <?php if ($flashSuccess): ?>
    <div class="flash-success" role="alert"><?= htmlspecialchars(
        $flashSuccess,
--- a/app/templates/public/about.php
+++ b/app/templates/public/about.php
@@ -83,9 +83,7 @@ function renderEntries(array $entries): string
                            fn($e) => !empty($e),
                        );
                        foreach ($emails as $email): ?>
-                        <a href="mailto:<?= htmlspecialchars(
-                            $email,
-                        ) ?>"><?= htmlspecialchars($email) ?></a>
+                        <a href="<?= EmailObfuscator::mailto($email) ?>"><?= htmlspecialchars($email) ?></a>
                        <?php endforeach;
                        ?>
                    </address>
--- a/app/templates/public/tfe.php
+++ b/app/templates/public/tfe.php
@@ -252,9 +252,7 @@
                                <span class="sr-only">(ouvre dans un nouvel onglet)</span>
                            </a>
                        <?php elseif ($_isEmail): ?>
-                            <a href="mailto:<?= htmlspecialchars(
-                                $_contact,
-                            ) ?>"><?= htmlspecialchars($_contact) ?></a>
+                            <a href="<?= EmailObfuscator::mailto($_contact) ?>"><?= htmlspecialchars($_contact) ?></a>
                        <?php else: ?>
                            <?= htmlspecialchars($_contact) ?>
                        <?php endif;