JS code in Target activity

Forum|Forum|2 months ago
November 19, 2025
1 reply
77 views

Do you know of any validation of JS code put into AT activity in the area of security?

Target

Best answer by bjoern__koth

Hi there

As such, Adobe Target does not perform exhaustive validation on custom JavaScript entered into activity offers. In other words, the responsibility for security of injected JS lies mainly with client-side governance and your organization’s own code review practices.

This means that potentially unsafe JS (including code that could trigger cross-site scripting/XSS or client-side vulnerabilities) can be inserted into Target offers if not properly controlled (through e.g. CSP, code reviews, avoidance of eval(), etc.).

Maybe this helps

https://wwwimages2.adobe.com/content/dam/cc/en/security/pdfs/AdobeTargetSecurityOverview.pdf

bjoern__koth

Accepted solution

Community Advisor and Adobe Champion

Hi there

As such, Adobe Target does not perform exhaustive validation on custom JavaScript entered into activity offers. In other words, the responsibility for security of injected JS lies mainly with client-side governance and your organization’s own code review practices.

This means that potentially unsafe JS (including code that could trigger cross-site scripting/XSS or client-side vulnerabilities) can be inserted into Target offers if not properly controlled (through e.g. CSP, code reviews, avoidance of eval(), etc.).

Maybe this helps

https://wwwimages2.adobe.com/content/dam/cc/en/security/pdfs/AdobeTargetSecurityOverview.pdf

Cheers from Switzerland!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded