feat: obfuscate all email addresses and mailto links as HTML entities

Added EmailObfuscator class (src/EmailObfuscator.php) that converts email addresses to HTML decimal entities (e.g. foo@...) so browsers render them correctly but bots and scrapers see gibberish. Methods: - email($addr): obfuscate for display in HTML content - mailto($addr): return obfuscated mailto: href - obfuscateHtml($html): post-process rendered HTML to obfuscate all mailto: links (used after Parsedown/Markdown rendering) Applied to: - partage/index.php: mailto link at top + error scenarios via _flash_contact flag rendered in form.php (outside htmlspecialchars to avoid double-escape) - admin/acces.php: request email mailto links - admin/file-access.php: request email mailto links - public/about.php: contact email mailto links - public/tfe.php: author contact mailto links - AboutController: Parsedown output post-processing - LicenceController: Parsedown output post-processing - Dispatcher::render(): require_once EmailObfuscator for all public views Also fixed _flash_contact session flag in form.php partial to show contact email line on share link validation errors (separate from flash_error/warning to bypass htmlspecialchars double-escaping).
2026-06-25 16:19:19 +02:00 · 2026-05-10 14:51:37 +02:00
parent ab6e266807
commit 38dc8de9d8
14 changed files with 159 additions and 19 deletions
--- a/app/templates/public/about.php
+++ b/app/templates/public/about.php
@@ -83,9 +83,7 @@ function renderEntries(array $entries): string
                            fn($e) => !empty($e),
                        );
                        foreach ($emails as $email): ?>
-                        <a href="mailto:<?= htmlspecialchars(
-                            $email,
-                        ) ?>"><?= htmlspecialchars($email) ?></a>
+                        <a href="<?= EmailObfuscator::mailto($email) ?>"><?= htmlspecialchars($email) ?></a>
                        <?php endforeach;
                        ?>
                    </address>
--- a/app/templates/public/tfe.php
+++ b/app/templates/public/tfe.php
@@ -252,9 +252,7 @@
                                <span class="sr-only">(ouvre dans un nouvel onglet)</span>
                            </a>
                        <?php elseif ($_isEmail): ?>
-                            <a href="mailto:<?= htmlspecialchars(
-                                $_contact,
-                            ) ?>"><?= htmlspecialchars($_contact) ?></a>
+                            <a href="<?= EmailObfuscator::mailto($_contact) ?>"><?= htmlspecialchars($_contact) ?></a>
                        <?php else: ?>
                            <?= htmlspecialchars($_contact) ?>
                        <?php endif;