Opened 11 years ago

Last modified 11 years ago

#9805 confirmed New Feature

mailto tag is bad

Reported by: Al Toman Owned by:
Priority: Normal Milestone:
Component: General Version: 3.0
Keywords: Cc:

Description (last modified by Jakub Ś)

Hello. I have a javascript that truly encrypts email addresses (from Germany javascript developer) however your email linking sends an error message "wrong value" or something like that when I try to implement it. Is there a way to circumvent this so that the email address can be encrypted? The mailto tag is an open invintation to harvesters and the result here in the U.S. at least is over $29 billion dollars of damage. The mailto tag is a monster of a bug and I am reporting it here to you. It's an easy, easy fix. It just needs to be done, is all.


  1. Please check attached files.
  2. What @altoman wants is a new feature; where it is possible to define custom encrypt/decrypt functions to be used by the editor.
  1. If we are going to take different approach and use only the functions provided by @altoman there will have to be some config option introduced (to use this method or not) so that developer can force usage of it and user "can't bypass it".
  2. There would have to be some documentation explaining that decrypt function has to be used on resulting page. Perhaps editor could insert it.
  3. If editor is to insert it (see point above) then perhaps these n vales could also be configurable if( n >= 8364 ) {n = 128; } as now they are constant and such constant code can be implemented by spambot.

Attachments (2)

encrypt.htm (2.7 KB) - added by Jakub Ś 11 years ago.
ckeditor2.php (3.2 KB) - added by Jakub Ś 11 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 11 years ago by Jakub Ś

Status: newpending
  1. Please provide reduced sample that shows what exactly is wrong. I'm talking about something like HTML page that can be put in samples folder of CKEditor and will show what is wrong.
  1. Please also describe step by step what do you do, what you expect and what you get.
  1. Your description tells us nothing right now.

comment:2 Changed 11 years ago by Al Toman

Dear unnamed support person:

This is what is severely wrong, security issue. Your ckeditor uses the html MAILTO tag. This has been for years BAD NEWS causing billions of dollars in damages worldwide.

Yet everyone shrugs it off. This is NOT professional coding.

I setup a TEST PAGE for you here:

The box on the right is your ckeditor. The box on the left is the email encryption javascript code ( as opposed to simple javascript obfuscation)

Your editor does NOT PERMIT ENCRYPTION of the emails. I would NOT recommend this editor to anyone until it considers the user's security.

Now, I can do the encryption on the back end as illustrated here:

In this test, enter XXXXX as you email link then click on save.

When you click on SAVE you will see a fieldset appear on top with the XXXXX replaced with an EMAIL ME tag. Notice that the tag is encrypted.

Professionally, this is how emails should appear on webpages.

So, is there a way I can use your ckeditor with this encryption. What would I need to do to make this happen?

If you need more information (you can observe the source code of these pages) please let me know. This would be a GREAT service to your clients and make you stand out and above your competitors.

Please note that I really like your latest update. I am telling everyone about it. VERY PROFESSIONAL and CLEAN LOOKING. NICE JOB!!!

Kind regards, Al Toman

Changed 11 years ago by Jakub Ś

Attachment: encrypt.htm added

Changed 11 years ago by Jakub Ś

Attachment: ckeditor2.php added

comment:3 Changed 11 years ago by Jakub Ś

Thank you for the pages, I have added them to this ticket.

  1. If I understand correctly you would like to have perhaps checkbox field in link dialog that would encrypt the "mail to" before inserting it into editor. Is that correct?
  1. The problem I see is that page is edited in editor and then saved. Such page doesn't have to be used in editor but as standalone webpage. In such case user would have to implement decrypt method on resulting webpage. This is something beyond CKEditor and would have to be documented well. Is there something I'm missing or you see it differently?
  1. Any JavaScript is available in browser thus is unsafe. No matter how good this script is there can always be a person who will decrypt such email.
  1. One final question. You have written two times something like: "This has been for years BAD NEWS causing billions of dollars in damages worldwide"
    Perhaps I'm short-sighted but how exactly is this threat? Could you perhaps explain what not encrypting email can cause?

comment:4 Changed 11 years ago by Al Toman

Thank you for considering this matter. Refering back to

IN RESPONSE TO YOUR #1 CASE SCENARIO 1 - Using MailTo tag In ckeditor, I highlight my link text such as "Email Me", next I click on link and select email. Next, I enter my email address atoman@…. Then if I look at the source it shows what I expect it to show: <a href="mailto:atoman@…">EMAIL ME</a>

This works fine but exposes my email address to email harvesting robots. BAD!

CASE SCENARIO 2 - Using Encrypt code and placing it directly into the source Now, instead, I can encrypt my email using the javascript application on the left then, in the ckeditor, click on source, then copy the code under "ORIGINAL CODE", then click out of source, then SAVE. I DO NOT USE the link dialogue!

This is the ENCRYPT code that gets copied into the ckeditor source: <a href="javascript:linkTo_UnCryptMailto('nbjmup;bupnboAfd/ss/dpn');">Email Me</a>

This also works and hides my email address. GOOD! BUT the process to accomplish a SAFE EMAIL is NOT GOOD.

CASE SCENARIO 3 - Using Link Email Dialogue and pasting in the Encrypt Code into the input field named "Email Address"

If you look at the result in the SOURCE you will see:

<a href="mailto:javascript:linkTo_UnCryptMailto('nbjmup, bupnboAfd/ss/dpn');">Email ME</a>

Notice that this looks ALMOST like in CASE SCENARIO 2 but it includes "mailto:" which causes the link to fail. That is, it still allows me to bring up my email client but it shows my email address as 'nbjmup;bupnboAfd/ss/dpn' <javascript:linkTo_UnCryptMailto;> instead of atoman@….

Is there a way you can tell me to be able to eliminate the "mailto:" in the above CASE SCENARIO 3 which would make it all work very smooth without going into source? Can we do this simply through the link dialogue. (your checkbox idea would work)

It would change <a href="mailto:javascript:linkTo_UnCryptMailto('nbjmup, bupnboAfd/ss/dpn');">Email ME</a> to <a href="javascript:linkTo_UnCryptMailto('nbjmup;bupnboAfd/ss/dpn');">Email Me</a> and work perfectly!

IN RESPONSE TO YOUR #2 You are correct. The resulting webpage(s) would require a link to the ENCRYPT script. I have that documented here: with permission from Mr. Jürgen Kummer You can see the original here:

Note: If you do NOT want to incorporate NOSPAM email links into your product, then, can you tell me what I need to do so that I can use the ckeditor? It would very much appreciated!

Note: I can also write php code to look at your ckeditor SOURCE CODE, then remove the "mailto:" quite easily before I save the editor content file. Just saying as an alternative.

IN RESPONSE TO YOUR #3 You are correct. However, you speak of a single person. Also, there are many, many javascript that simply obfusctate the email (mostly change to ascii characters) which even I can break. The kummer script here actually ENCRPYTS and NO ROBOT will take the time to attempt to break the code.

You can also inquire with Mr. Jürgen Kummer. We are after the HARVESTING ROBOTS THAT VIOLATE the NOFOLLOW METATAG and scan webpages for email addresses (atoman@…) These robots will go right by the encrypted email address javascript:linkTo_UnCryptMailto('nbjmup;bupnboAfd/ss/dpn');

They won't even see it!

IN RESPONSE TO YOUR #4 Again, you can inquire with Mr. Jürgen Kummer as well. Here in the United States, the MAILTO TAG causes over $29 BILLION DOLLARS (90,104,174,536 PLN) (22013059000 EURO) damages to the U.S. government and the People. We have a department in the branch of government called the FTC that fights against the security vulnerability of the MAILTO tag. It effects our WEB HOST SERVERS, TRANSMISSIONS, EMAIL CLIENTS including web mail. Many older people are gaining online access and they do not understand. Consequently, they become targets of spammers and many of them lose their life savings!

I have been fighting spam for decades! you can see my website on the right column ways to encrypt email.

The MAILTO TAG was good when the Internet was limited to the U.S. Navy's use. However, when Sir Tim-Berners Lee invented the W.W.W., giving Internet access to over 7 billion people, the MAILTO TAG soon became BAD! The W3C should depricate it! I don't know why they have not done so. Maybe because using it is too easy!?!

I am not asking you to modify your product. I am asking you if you can tell me what I need to do to lose the MAILTO TAG and encrypt email.

I am NOT a javascript professional such as yourself. Like I said, as an alternative, I probably can easily use php to resolve the issue, however, it would be good if it all can happen right at the link email dialogue on the ckeditor.

99% of webmasters have no clue about using the mailto tag and the monetary damages it is causing. It is important that we professionals educate them so that the W.W.W. remains a safe and productive place. We need to eliminate malicious spammers now!

Thank you again for your patience and understanding. Again, the ckeditor is a wonderful product and I do appreciate all your hard work that has gone into it. You guys are great!

Stay well, Al Toman

comment:5 Changed 11 years ago by Al Toman

I have a solution using php on the backend:


  1. enter your email address in the box on the left
  2. click the encrypt button
  3. copy the ENCRYPT code under "Copy into editor"
  4. Create a text link in the editor
  5. click on LINK BUTTON, select EMAIL
  6. paste the ENCRYPT code into "Email Address"
  7. Click Ok
  8. Save the document, Click SAVE

The file will next appear on top. Click on the LINK and it will call your email client. You can create as many ENCRYPTED email links as you want.

The PHP:

I save the ckeditor content as "$noise". $noise=stripslashes($noise); $noise=str_replace("mailto:", "",$noise);

Then I save the file to my web server in the appropriate directory.

That's it! Done deal!

So, the php solution satisfies the query. However, it would me nice to eliminate the mailto tag for the millions of your other users :O)

Thanks for your attention to this matter.

Stay well, Al Toman

comment:6 Changed 11 years ago by Jakub Ś

Description: modified (diff)

comment:7 Changed 11 years ago by Jakub Ś

Status: pendingconfirmed
Type: BugNew Feature
Version: 3.0

@altoman I'm confirming this issue as new Feature.

Please also note that editor has already got some email protection implemented -!/api/CKEDITOR.config-cfg-emailProtection
NOTE: In second example decode function should be defined. If such function is defined editor will break email into parts. The role of decode function is to join these parts.

Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy