There is a public solution:

na1.salesforce.com/_ui/selfservice/pkb/P...3D1%26t%3D4&ps=1

That discusses text ciphering for transmission of sensitive strings (passwords, etc.). I assume this idea is to use the ciphering so that the sensitive string do not show up as plain text in the URLs?

www.i-cubed.com/convertigo/projects/MyPr...ansaction=login&user=OHNOMYUSER&password=OHNOMYPASSWORD

I understand that we can use context.decodeFromHexString(myString) within the JavaScript of a 'Simple Statement' statement object within our transactions to decode strings once they have reached the server.

My question is, how to we get access to context.encodeToHexString(myString) in our client code?

I'm delivering an AJAX site via a 'dummy' transaction in Convertigo that renders my own .xsl that includes my custom .js files. Is there a particular .js file that I could include to gain access to the ciphering logic? I would think that this context object is probably not available.

Hi Adam,

You don't have client side access to the Convertigo context object.
Encode/Decode methods of the context object is for known values that will not change. For example, the values are ciphered locally via Convertigo and then placed in your client page to ensure they are not 'readable' when transmitted. This solution is not relevant when you want to securely transmit user/password or changing parameters to Convertigo.

What you can do:

_ Add a simple JS algorithm both client and server side to encode/decode data. 'JS encode' function is client side and 'JS decode' function stands in a 'Simple statement' of the transaction. This is a weak solution because 'JS encode' function is public and could be reverse engineered. An asymmetric algorithm would be more secure, I know there are free and open JS implementation on the net.

In the future, Convertigo would implement an asymmetric cryptography algorithm (public/private keys) and would provide a js file to use by client code. To be confirmed.

Is it possible to send Convertigo variables via POST parameters instead of GET URL parameters?

This is not as useful if your dashboard only supports embedding the mashable as a single URL; but if you are building a more advanced client, the POST parameters seem like they could be more secure?

You are right and i completely forgot to mention that possibility. You can, of course, send your data via a POST form to Convertigo that will automatically detects the type of the method used. You can also mix methods although it is not recommended.

For example, an HTML form :



You can use "__sequence" verb instead of transaction to execute a Convertigo sequence.
You may found some more information on the Convertigo Wiki.

Some Base64 encoding and switching to POSTs instead of GETs (very easy w/ Convertigo!) makes my connector much more reasonable from a security aspect I think.

One problem I had though was having to paste my Base64 decoding methods into several 'Simple Statement' transaction statements. Is possible to add functions to a globally included script so that they are automatically available for each statement?

I tried this with scriptlib.js, but did not have success.

You may read my new "Convertigo's Tips n Tricks" post about code sharing

Edit: re-formulated the sentence.