-
Notifications
You must be signed in to change notification settings - Fork 28
Secure Offer
XDex edited this page Oct 12, 2016
·
9 revisions
Secure Offer extension for at.js library is used to sanitize offers fetched via at.js getOffer() calls.
The extension is intended as a drop-in replacement for getOffer(), featuring the same parameter specification.
##Prerequisites:
- AT.js library
- Secure Offer module
##Integration Instructions:
- Include at.js
- Choose an appropriate at-secure-offer extension distribution and add it to your page after at.js OR add the extension to the end of at.js in the Target Tool configuration of DTM.
- Replace
adobe.target.getOffer(options)calls in your application withadobe.target.ext.getSecureOffer(options)(see the extension README for additional info).
This will sanitize all CSS and HTML offer content, removing any Javascript code and any potential arbitrary code execution vulnerabilities, that might be present in fetched offer content.
##Example
adobe.target.ext.getSecureOffer({
mbox: 'myMbox',
success: function (offers) {
console.log('Sanitized offer content', offers[0].content);
},
error: function (status, error) {
console.log(status, error);
}
});##Notes
- The extension will strip the HTML/CSS offer content of any Javascript code, as well as of any potential arbitrary code execution vulnerabilities that might be present in offer content, such as
onclick, onload, onerrorattributes, obfuscated<script>tags, etc. - Fetched offers will also be stripped of any plugins
These extensions are provided free to developers as a starting point to integrate at.js with their Single Page Application. Extensions are not always updated for the latest at.js version. Customization may be required to integrate successfully with your single page app.
Issues: place send feedback and questions through Github issues. We will respond as best we can. Please note, these extensions are not supported by Adobe Client Care or Target Engineering.