Data protection: escaping functions
Adobe Campaign provides a set of functions that provide protection against most frequent attacks: SQL injections, XSS attacks, etc.
Escaping functions are to be used under the supervision of operators and Adobe may not be held responsible for the bad use or absence of use of these functions during developments.
The general rule is as follows:
All parameters must be escaped. The function used for escaping depends on the destination format of the data.
Simplified escaping
In the JSSPs, Adobe Campaign provides the '<%=' tag which
lets you escape a variable used in a generated XML or HTML
entity. This method is more convenient and is equivalent to NL.XML.escape().
The following example illustrates the use of the tag to
escape a parameter:
<li>
<%= strRecipientList %>
</li>
Advanced escaping:
Adobe Campaign provides 4 functions that let you escape a
parameter depending on the destination format
To access these escaping functions, name the following
files respectively:
NL.require('/nl/core/shared/xml.js')
NL.require('/nl/core/sql.js')
NL.require('/nl/core/shared/xtk.js')
NL.require('/nl/core/shared/js.js')
-
NL.XML.escape(data) to escape a variable used in
a generated XML or HTML entity. This function is the
equivalent of the '<%=' syntax. This function is
defined in the NL.XML package.
<tr> <td><%==NL.XML.escape(node.id)%><td> <td><%==NL.XML.escape(node.label)%><td> </tr>
-
NL.SQL.escape(data) to escape a parameter that
can be used in an SQL query. This function automatically
places the expression between simple quotation marks.
This function is defined in the NL.SQL package.
var strSql = "UPDATE NmsRecipient SET sEmail="+NL.SQL.escape(strEmail)+ " WHERE ...";
-
NL.XTK.toXTKString(data) to escape a parameter
destined to be used in an XTK expression. This function
is defined in the NL.XTK package.
var query = NLWS.xtkQueryDef.create( {queryDef: {schema: "nms:recipient", operation: "select", select: { node: [ {expr: "@firstName"}, {expr: "@lastName"} ] }, where: { condition: {expr: "@email=" + NL.XTK.toXTKString(request.getParameter("query"))} } }})
-
NL.JS.escape(data) to escape a variable used in
javascript executed on the client side. This function is
defined in the NL.JS package.
<script type="text/javascript"> var value = “Foo <%== NL.JS.escape(Node.@value) %>”; </script>