Expand my Community achievements bar.

SOLVED

Encryption and XSS protection on client-side in web application

Avatar

Level 2

Hi everyone.

I created a web application for seminar registration in Adobe Campaign Classic v7.

This is my workflow:

1817511_pastedImage_0.png

Client wants to apply encryption and XSS protection on the client and server side to the payload before submitting it.
I have checked built-in functions in Campaign such as cryptString(), decryptString() and NL.JS.escape().

This is my script inside the Page activity:
      <script type="text/javascript">
          // <![CDATA[
          function formSubmit(e) {

              var firstName = document.getElementById("firstName").value;

              var email = document.getElementById("email").value;
              var memberId = document.getElementById("memberId").value;

              var mobile = document.getElementById("mobilePhone").value;

              document.controller.setValue('/ctx/vars/firstName', firstName);

              document.controller.setValue('/ctx/vars/email', email);
              document.controller.setValue('/ctx/vars/memberId', memberId);
              document.controller.setValue('/ctx/vars/mobile', mobile);

              document.controller.submit('next');

              return false;

          }
          // ]]>
      </script>

I tried to use the cryptString() during setValue like this:
          document.controller.setValue('/ctx/vars/memberId', '<%= cryptString("' + memberId + '")%>');
However, instead of encrypting the value entered in the textfield, it's actually encrypting the string " + memberId + ".
     
Is there any way we can do this?

Any help is greatly appreciated.

1 Accepted Solution

Avatar

Correct answer by
Level 4

Hi,

   document.controller.setValue() is running on client side. But cryptString is a server side function. I guess only way to solve this is to send the value to server unencrypted (just by document.controller.submit('next'); ). And then use a Script activity to do the encryption server side.

Thanks,

Saikat

View solution in original post

6 Replies

Avatar

Community Advisor

Hi,

<%= cryptString(memberId)%>

Thanks,

-Jon

Avatar

Level 2

Hi Jon,
Thank you for your response.
I have tried the following:

  1. <%= cryptString(memberId) %>      --> [nms:webApp Error] ReferenceError: memberId is not defined
  2. '<%= cryptString(' + memberId + ') %>'    --> I removed the double quotes however, when I decrypted it in Script Activity, the value in the log is:
                         2019-08-20 14:38:23 decrypted memberId= + memberId +
                        2019-08-20 14:38:23 memberId=@uWgrIzsoAUuwWi0Ojk5aE/Ux2BbGdikIMNnXwQ8qsSM=
  3. cryptString(memberId)    --> no <%= %>. Error throws: Uncaught Reference type: cryptString not defined in the browser console

I thought there's just syntax error around this, however, I haven't figured it out yet.

Avatar

Correct answer by
Level 4

Hi,

   document.controller.setValue() is running on client side. But cryptString is a server side function. I guess only way to solve this is to send the value to server unencrypted (just by document.controller.submit('next'); ). And then use a Script activity to do the encryption server side.

Thanks,

Saikat

Avatar

Level 2

Hi Saikat.

Thanks for your response.

Client wanted the encryption on the client-side as part of security. I did something like this:

      document.controller.setValue('/ctx/vars/memberId', '<%= cryptString("123456789")%>');

where I passed a hardcoded value and this works.

Is there no way that I can pass a variable inside cryptString? If it's not possible, is there other way to pass encrypted values from client side and decrypt it to server side? Or I just have to use third party encryption and decryption?

Avatar

Level 4

Hi Mary,

When you are doing this, the server is serving the web page to the client after doing the encryption in server side. if you open the webapp in a browser, reload the page and check in developer mode, you must be seeing the encrypted value from the beginning.

If you are using https then you are already using standard encryption.

Thanks,

Saikat

Avatar

Level 2

Hi Saikat.

It's actually the other way around.

The web application I created submits user information (Page) and process it inside the Script activity.

Client wants two fields to be encrypted during transition for security purposes.

They also wants to apply escaping for XSS protection.

Do you have any advice on how to do this?