Encryption and XSS protection on client-side in web application | Community
Skip to main content
M
Mary_Joy_Gonzales
Level 2
August 20, 2019
Solved

Encryption and XSS protection on client-side in web application

  • August 20, 2019
  • 6 replies
  • 5859 views

Hi everyone.

I created a web application for seminar registration in Adobe Campaign Classic v7.

This is my workflow:

Client wants to apply encryption and XSS protection on the client and server side to the payload before submitting it.
I have checked built-in functions in Campaign such as cryptString(), decryptString() and NL.JS.escape().

This is my script inside the Page activity:
      <script type="text/javascript">
          // <![CDATA[
          function formSubmit(e) {

              var firstName = document.getElementById("firstName").value;

              var email = document.getElementById("email").value;
              var memberId = document.getElementById("memberId").value;

              var mobile = document.getElementById("mobilePhone").value;

              document.controller.setValue('/ctx/vars/firstName', firstName);

              document.controller.setValue('/ctx/vars/email', email);
              document.controller.setValue('/ctx/vars/memberId', memberId);
              document.controller.setValue('/ctx/vars/mobile', mobile);

              document.controller.submit('next');

              return false;

          }
          // ]]>
      </script>

I tried to use the cryptString() during setValue like this:
          document.controller.setValue('/ctx/vars/memberId', '<%= cryptString("' + memberId + '")%>');
However, instead of encrypting the value entered in the textfield, it's actually encrypting the string " + memberId + ".
     
Is there any way we can do this?

Any help is greatly appreciated.

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by saikatk2447661

    Hi,

       document.controller.setValue() is running on client side. But cryptString is a server side function. I guess only way to solve this is to send the value to server unencrypted (just by document.controller.submit('next'); ). And then use a Script activity to do the encryption server side.

    Thanks,

    Saikat

    6 replies

    Jonathon_wodnicki
    Community Advisor
    Jonathon_wodnickiCommunity Advisor
    Community Advisor
    August 20, 2019

    Hi,

    <%= cryptString(memberId)%>

    Thanks,

    -Jon

      M
      Mary_Joy_GonzalesAuthor
      Level 2
      August 22, 2019

      Hi Jon,
      Thank you for your response.
      I have tried the following:

      1. <%= cryptString(memberId) %>      --> [nms:webApp Error] ReferenceError: memberId is not defined
      2. '<%= cryptString(' + memberId + ') %>'    --> I removed the double quotes however, when I decrypted it in Script Activity, the value in the log is:
                             2019-08-20 14:38:23 decrypted memberId= + memberId +
                            2019-08-20 14:38:23 memberId=@uWgrIzsoAUuwWi0Ojk5aE/Ux2BbGdikIMNnXwQ8qsSM=
      3. cryptString(memberId)    --> no <%= %>. Error throws: Uncaught Reference type: cryptString not defined in the browser console

      I thought there's just syntax error around this, however, I haven't figured it out yet.

      saikatk2447661
      saikatk2447661Accepted solution
      Level 4
      August 23, 2019

      Hi,

         document.controller.setValue() is running on client side. But cryptString is a server side function. I guess only way to solve this is to send the value to server unencrypted (just by document.controller.submit('next'); ). And then use a Script activity to do the encryption server side.

      Thanks,

      Saikat

        M
        Mary_Joy_GonzalesAuthor
        Level 2
        August 27, 2019

        Hi Saikat.

        Thanks for your response.

        Client wanted the encryption on the client-side as part of security. I did something like this:

              document.controller.setValue('/ctx/vars/memberId', '<%= cryptString("123456789")%>');

        where I passed a hardcoded value and this works.

        Is there no way that I can pass a variable inside cryptString? If it's not possible, is there other way to pass encrypted values from client side and decrypt it to server side? Or I just have to use third party encryption and decryption?

        saikatk2447661
        saikatk2447661
        Level 4
        August 27, 2019

        Hi Mary,

        When you are doing this, the server is serving the web page to the client after doing the encryption in server side. if you open the webapp in a browser, reload the page and check in developer mode, you must be seeing the encrypted value from the beginning.

        If you are using https then you are already using standard encryption.

        Thanks,

        Saikat

        M
        Mary_Joy_GonzalesAuthor
        Level 2
        August 27, 2019

        Hi Saikat.

        It's actually the other way around.

        The web application I created submits user information (Page) and process it inside the Script activity.

        Client wants two fields to be encrypted during transition for security purposes.

        They also wants to apply escaping for XSS protection.

        Do you have any advice on how to do this?

        Terms & ConditionsAccessibility statement

        Loading footer...