Secure Offer

Secure Offer extension for at.js library is used to sanitize offers fetched via at.js getOffer() calls.
The extension is intended as a drop-in replacement for getOffer(), featuring the same parameter specification.

##Prerequisites

1. AT.js library
2. Secure Offer module

##Integration Instructions

1. Include at.js
2. Choose an appropriate at-secure-offer extension distribution and add it to your page after at.js OR add the extension to the end of at.js in the Target Tool configuration of DTM.
3. Replace adobe.target.getOffer(options) calls in your application with adobe.target.ext.getSecureOffer(options) (see the extension README for additional info).
   This will sanitize all CSS and HTML offer content, removing any Javascript code and any potential arbitrary code execution vulnerabilities, that might be present in fetched offer content.

##Example

adobe.target.ext.getSecureOffer({
    mbox: 'myMbox',
    success: function (offers) {
      console.log('Sanitized offer content', offers[0].content);
    },
    error: function (status, error) {
      console.log(status, error);
    }
});

##Notes

• The extension will strip the HTML/CSS offer content of any Javascript code, as well as of any potential arbitrary code execution vulnerabilities that might be present in offer content, such as onclick, onload, onerror attributes, obfuscated <script> tags, etc.
• Fetched offers will also be stripped of any plugins
• Current version of the extension uses (Google Caja JsHtmlSanitizer)[https://github.com/google/caja/wiki/JsHtmlSanitizer]. In future versions support for other sanitizers, such as (DOMPurify)[https://github.com/cure53/DOMPurify] may be added.