Data protection: escaping functions

Adobe Campaign provides a set of functions that provide protection against most frequent attacks: SQL injections, XSS attacks, etc.

Escaping functions are to be used under the supervision of operators and Adobe may not be held responsible for the bad use or absence of use of these functions during developments.

The general rule is as follows:

All parameters must be escaped. The function used for escaping depends on the destination format of the data.

Simplified escaping

In the JSSPs, Adobe Campaign provides the '<%=' tag which lets you escape a variable used in a generated XML or HTML entity. This method is more convenient and is equivalent to NL.XML.escape(). The following example illustrates the use of the tag to escape a parameter:
<li>
<%= strRecipientList %>
</li>

Advanced escaping:

Adobe Campaign provides 4 functions that let you escape a parameter depending on the destination format To access these escaping functions, name the following files respectively:
NL.require('/nl/core/shared/xml.js')
NL.require('/nl/core/sql.js')
NL.require('/nl/core/shared/xtk.js')
NL.require('/nl/core/shared/js.js')
  • NL.XML.escape(data) to escape a variable used in a generated XML or HTML entity. This function is the equivalent of the '<%=' syntax. This function is defined in the NL.XML package.
    <tr>
    <td><%==NL.XML.escape(node.id)%><td>
    <td><%==NL.XML.escape(node.label)%><td>
    </tr>
  • NL.SQL.escape(data) to escape a parameter that can be used in an SQL query. This function automatically places the expression between simple quotation marks. This function is defined in the NL.SQL package.
    
              var strSql = "UPDATE NmsRecipient SET sEmail="+NL.SQL.escape(strEmail)+ " WHERE ...";
  • NL.XTK.toXTKString(data) to escape a parameter destined to be used in an XTK expression. This function is defined in the NL.XTK package.
    
    var query = NLWS.xtkQueryDef.create(
      {queryDef: {schema: "nms:recipient", operation: "select", 
        select: {
          node: [
            {expr: "@firstName"}, 
            {expr: "@lastName"} 
          ]
        }, 
        where: {
          condition: {expr: "@email=" + NL.XTK.toXTKString(request.getParameter("query"))}
        }
      }})
          
  • NL.JS.escape(data) to escape a variable used in javascript executed on the client side. This function is defined in the NL.JS package.
    <script type="text/javascript">
              	var value = “Foo <%== NL.JS.escape(Node.@value) %>”; 
    </script>
Warning: Adobe Campaign does not guarantee the durability of these functions for later versions.