I created a web application for seminar registration in Adobe Campaign Classic v7.
This is my workflow:
Client wants to apply encryption and XSS protection on the client and server side to the payload before submitting it. I have checked built-in functions in Campaign such as cryptString(), decryptString() and NL.JS.escape().
var firstName = document.getElementById("firstName").value;
var email = document.getElementById("email").value; var memberId = document.getElementById("memberId").value;
var mobile = document.getElementById("mobilePhone").value;
I tried to use the cryptString() during setValue like this: document.controller.setValue('/ctx/vars/memberId', '<%= cryptString("' + memberId + '")%>'); However, instead of encrypting the value entered in the textfield, it's actually encrypting the string " + memberId + ".
document.controller.setValue() is running on client side. But cryptString is a server side function. I guess only way to solve this is to send the value to server unencrypted (just by document.controller.submit('next'); ). And then use a Script activity to do the encryption server side.
When you are doing this, the server is serving the web page to the client after doing the encryption in server side. if you open the webapp in a browser, reload the page and check in developer mode, you must be seeing the encrypted value from the beginning.
If you are using https then you are already using standard encryption.
Is there no way that I can pass a variable inside cryptString? If it's not possible, is there other way to pass encrypted values from client side and decrypt it to server side? Or I just have to use third party encryption and decryption?
Hi Jon, Thank you for your response. I have tried the following:
<%= cryptString(memberId) %> --> [nms:webApp Error] ReferenceError: memberId is not defined
'<%= cryptString(' + memberId + ') %>' --> I removed the double quotes however, when I decrypted it in Script Activity, the value in the log is: 2019-08-20 14:38:23 decrypted memberId= + memberId + 2019-08-20 14:38:23 memberId=@uWgrIzsoAUuwWi0Ojk5aE/Ux2BbGdikIMNnXwQ8qsSM=
cryptString(memberId) --> no <%= %>. Error throws: Uncaught Reference type: cryptString not defined in the browser console
I thought there's just syntax error around this, however, I haven't figured it out yet.