Adobe Campaign Classic JSSP Page Error

anurags23332948

30-01-2019

Hi Team,

I am working on a simple Web-hosted form with First Name, Last Name, Email Address, and Territory and Submit Button. Once we click on the Submit button, this information is POST'ed to the JSSP Page which is created and hosted in Adobe Campaign Classic. Now, This JSSP page contains the below code

<%

  response.setContentType("text/html;charset=utf-8") 

  logonEscalation("webapp");

 

  var rcp =

    <recipient

      _operation="insertOrUpdate"

      _key="@email"

      xtkschema="nms:recipient"

      firstName={request.getParameter("firstName")}

      lastName={request.getParameter("lastName")}

      email={request.getParameter("email")}

      territory={request.getParameter("territory")}>

    </recipient>;

   

  xtk.session.Write(rcp);

%>Loading...

<meta http-equiv="refresh" content="1; url=<%= request.getParameter("url")%>">

Issue:-

My Issue here is that I am able to submit the data without any trouble Not getting any error message and data is getting stored on Adobe Campaign DB, But if someone else is trying to post the data, they are getting the error message as below:-

1.JPG2.JPG

Any thoughts what am I doing wrong here or what could be the reason.

Tagging community champs for any inputs..

Vipul Raghav

Amit_Kumar

Jean-Serge Biron

davidl14970702

florentlb

Adhiyan

Ananya Kuthiala

Accepted Solutions (1)

Accepted Solutions (1)

wodnicki

MVP

01-02-2019

Hi,

Change logonEscalation to admin. There are numerous problems here besides:

  • Anyone can set anyone's recipient record to anything, intentionally or not. The page should be inserting new rows into a staging table, then batch-processing via a scheduled workflow, with conflicts manually resolved or discarded
  • Email address syntax isn't validated
  • UTF-8 is declared in the content-type header, but params aren't being read as utf-8. Use request.getUTF8Parameter() instead
  • Content-type header is set, but the page is just a meta redirect
  • Link to visit isn't given to users who've disabled meta redirects
  • Redirected url isn't validated or sanitized, leaving page vulnerable to a variety of attacks

Thanks,

-Jon