Booking.com ROT13



  • Unfortunately "Why are your answers ROT13 encoded in your HTML?" wasn't in Booking.com's FAQ.



  • <p class="faqQ"><a href="javascript:;" onclick="itemToggle('faqa026');return false;" >I have booked a hotel but haven't received a confirmation by email. What should I do?</a></p>
    <span id="faqa026" style="display: none;" class="faqA">
    <div style="border-bottom: 1px solid #003580; background-color: #f4f5f7; padding: 6px 2px 6px 6px; overflow:hidden">
    <img src="http://r-ec.bstatic.com/static/img/transparent/85e02501df1560d359a473f544224481a83c9aa7.png" alt=" " title="Answer" hspace="5" />
    <span class="encrypted">Gel ybbxvat va gur fcnz&#47;whax sbyqref nf jryy nf gur vaobk bs gur rznvy nqqerff nggnpurq gb lbhe obbxvat. Lbh pna nyfb hfr gur obbxvat ahzore naq CVA pbqr sebz gur pbasvezngvba cntr gb ybt ba gb &lt;n ery=&quot;absbyybj&quot; uers=&quot;uggcf:&#47;&#47;frpher.obbxvat.pbz&#47;zlerfreingvbaf.ra-hf.ugzy?fvq=57o084p45085993947170q4126s056ps;qpvq=4;gzcy=cebsvyr&#47;zlerfreingvbaf&quot; gnetrg=&quot;_oynax&quot; &gt;Zl Obbxvat.pbz&lt;&#47;n&gt; gb npprff n pbcl bs gur pbasvezngvba rznvy. Nf nyjnlf, srry serr gb &lt;n ery=&quot;absbyybj&quot; uers=&quot;trareny.ra-hf.ugzy?fvq=57o084p45085993947170q4126s056ps;qpvq=4;gzcy=qbpf&#47;phfgbzre_freivpr&quot;&gt;pbagnpg hf&lt;&#47;n&gt; vs lbh arrq nal shegure nffvfgnapr.</span>
    <br /><br />
    <span id="faqa026-total" style="display: none;">
    <span id="faqa026-useful" style="float: right;">
    Was this helpful?
    <a href="javascript:;" onclick="itemToggle('faqa026', 'yes'); return false;">Yes</a>
    <a href="javascript:;" onclick="itemToggle('faqa026', 'no'); return false;">No</a>
    </span>
    <span id="faqa026-answered" style="float: right; display:none;">We appreciate your feedback!</span>
    </span>
    </div>
    </span>
    

    Let's count the WTFs:

    1. using single rot13
    2. rot13 being called "encryption"
    3. "encrypting" data on a public website served over non-ssl http without authentication
    4. 1×1px image with a tooltip
    5. div inside a span
    6. how do we make links that run javascript? ooh, I know! let's set the href to javascript:;. what does that do? it does javascript-y stuff!
    7. every link on that page, including links to other pages on the same site, is rel="nofollow"


  • At least the 1x1px image is loaded from a CDN. You have to be efficient with your 95 byte files.


  • Considered Harmful

    @Daniel15 said:

    At least the 1x1px image is loaded from a CDN. You have to be efficient with your 95 byte files.

    More likely that GUID filename is some kind of tracking code.



  • That's a common tactic...


  • Discourse touched me in a no-no place

    @Daniel15 said:

    Unfortunately "Why are your answers ROT13 encoded in your HTML?" wasn't in Booking.com's FAQ.

    Probably to defeat dumb scrapers, which appear to be an issue in the travel agency business (probably because of referral fees).


  • :belt_onion:

    @ben_lubar said:

    Let's count the WTFs:

    using single rot13
    rot13 being called "encryption"
    "encrypting" data on a public website served over non-ssl http without authentication
    1×1px image with a tooltip
    div inside a span
    how do we make links that run javascript? ooh, I know! let's set the href to javascript:;. what does that do? it does javascript-y stuff!
    every link on that page, including links to other pages on the same site, is rel="nofollow"

    Oh, I see. Quoting loses essentially all markdown code. Thanks Discourse.

    Anyway, I don't see any ROT13 at all..from google search or the direct page itself. Fixed now I guess?

    And the point of the javascript:; in the <a> tag is so they can use anchor tags to gain CSS hover styles as if they are "links". Probably to defeat the old IE8 and lower inability to support css :hover on non-link items without having to write even MORE javascript to deal with onmouseover.

    They could have gone with a href="#" too.Scratch that, I think that method fails in other modern browsers because it does the link action rather than the onclick action. Also, they didn't just put the onclick in the href like javascript:itemToggle('faqa026', 'yes'); return false; because I think that fails to work in Opera? But whatever. And yes, it's irrelevant in the modern browser where you can just use a span tag and do css :hover rules correctly.



  • I'm still seeing it in their code (search for "encrypted"). Here's the code that handles "decrypting" it, looks like it was originally to hide email addresses or something:

    booking[sNSStartup].fixMail = {priority: 9,init: function() {
        var c = this;
        $(".encrypted").each(function() {
            $(this).html(c.deCode($(this).text()));
            $(this).removeClass("encrypted")
        })
    },deCode: function(c) {
        return c.replace(/[a-zA-Z]/g, function(d) {
            return String.fromCharCode((d <= "Z" ? 90 : 122) >= (d = d.charCodeAt(0) + 13) ? d : d - 26)
        })
    }};
    

    Bonus WTF: They read with $.text() and write with $.html(), thus turning even correctly-escaped text into an XSS hole. Genius.


  • Discourse touched me in a no-no place

    @Daniel15 said:

    Bonus WTF: They read with $.text() and write with $.html(), thus turning even correctly-escaped text into an XSS hole. Genius.

    Depends on whether they de-fang things server-side and are actually delivering encoded HTML that way, which they might be.



  • Beating @chubertdev to the bump



  • @riking said:

    Beating @chubertdev to the bump

    Congrats to you and your wife


  • ♿ (Parody)

    @riking said:

    Beating @chubertdev to the bump

    Finally a use for sorting by number of posts?


Log in to reply