You need to sign in to do that
Don't have an account?
Ram S
Fix Potential Cross-site Scripting Vectors
Hi All,
If any one finds difficulties in passing this challenge plz make changes in the VF page:
<apex:outputText value="{!sampleMergeField1}"/> <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/> <apex:outputText > {!sampleMergeField3} </apex:outputText> <script> document.write('{!JSINHTMLENCODE(sampleMergeField4)}'); </script> {!sampleMergeField5} <script> var x = '{!JSENCODE(sampleMergeField6)}'; </script> <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
Thanks,
Ram
If any one finds difficulties in passing this challenge plz make changes in the VF page:
<apex:outputText value="{!sampleMergeField1}"/> <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/> <apex:outputText > {!sampleMergeField3} </apex:outputText> <script> document.write('{!JSINHTMLENCODE(sampleMergeField4)}'); </script> {!sampleMergeField5} <script> var x = '{!JSENCODE(sampleMergeField6)}'; </script> <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
Thanks,
Ram
All Answers
If you are doing "Identify Potential Cross-Site Scripting Vectors" unit challenge, you just need to edit the comment lines to either YES or NO.
So the answer will be:
Line 10: <!-- sampleMergeField1 is vulnerable to XSS: NO -->
Line 14: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
Line 20: <!-- sampleMergeField1 is vulnerable to XSS: NO -->
Line 28: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
Line 32: <!-- sampleMergeField1 is vulnerable to XSS: NO -->
Line 38: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
Line 42: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
<style>
.foo {
color: #{!sampleMergeField4};
}
</style>
Following RAM 5's answer I added the following code but I just dont understand how we were supposed to figure this out...
<style>
.foo {
color: document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
}
</style>
Anyway, this code worked for me...
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
<apex:pageBlock >
<c:Classic_Error />
<apex:pageMessages />
<apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
<apex:outputText value="{!sampleMergeField1}"/>
<!-- sampleMergeField1 is vulnerable to XSS: NO -->
<apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
<!-- sampleMergeField2 is vulnerable to XSS:YES -->
<apex:outputText >
{!sampleMergeField3}
</apex:outputText>
<!-- sampleMergeField3 is vulnerable to XSS:NO -->
<style>
.foo {
color: document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
}
</style>
<!-- sampleMergeField4 is vulnerable to XSS:YES -->
{!sampleMergeField5}
<!-- sampleMergeField5 is vulnerable to XSS:NO -->
<script>
var x = '{!JSENCODE(sampleMergeField6)}';
</script>
<!-- sampleMergeField6 is vulnerable to XSS:YES -->
<apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
<!-- sampleMergeField7 is vulnerable to XSS:YES -->
</apex:pageBlockSection>
<apex:pageBlockSection title="Code links" columns="1">
<apex:outputPanel >
<ul>
<li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>
<li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
</ul>
</apex:outputPanel>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
Update to this question and its answer.
You do not need to put the additional functions or wrap the merg fields in the addtional functions as mentioned above.
What you need to do is, mention the correct merge field name in the comment and specify whether it is vulnerable or not.
For example, in case of following merge field.
<apex:outputText value="{!sampleMergeField2}" escape="false"/>
<!-- sampleMergeField2 is vulnerable to XSS: YES -->
Note the comment. Mention correct merge field name.
Hope this help you. Certainly worked for me.
https://ividmateapp.com
<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
<apex:pageBlock >
<apex:pageMessages />
<apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
<c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
<apex:outputText value="{!(sampleMergeField1)}"/>
<apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
<apex:outputText >
{!(sampleMergeField3)}
</apex:outputText>
<script>
document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
</script>
{!(sampleMergeField5)}
<script>
var x = '{!JSENCODE(sampleMergeField6)}';
</script>
<apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
</apex:pageBlockSection>
<apex:pageBlockSection title="Code links" columns="1">
<apex:outputPanel >
<ul>
<li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>
<li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
</ul>
</apex:outputPanel>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
Here is the correct code to load into your VF page:
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
<apex:pageBlock >
<c:Classic_Error />
<apex:pageMessages />
<apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
<apex:outputText value="{!sampleMergeField1}"/>
<!-- sampleMergeField1 is vulnerable to XSS: NO -->
<apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
<!-- sampleMergeField2 is vulnerable to XSS:YES -->
<apex:outputText > {!sampleMergeField3} </apex:outputText>
<!-- sampleMergeField3 is vulnerable to XSS:NO -->
<style>
.foo {
color: document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
}
</style>
<!-- sampleMergeField4 is vulnerable to XSS:YES -->
{!sampleMergeField5}
<!-- sampleMergeField5 is vulnerable to XSS:YES -->
<script>
var x = '{!JSENCODE(sampleMergeField6)}';
</script>
<!-- sampleMergeField6 is vulnerable to XSS:YES -->
<apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
<!-- sampleMergeField7 is vulnerable to XSS:YES -->
</apex:pageBlockSection>
<apex:pageBlockSection title="Code links" columns="1">
<apex:outputPanel >
<ul>
<li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>
<li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
</ul>
</apex:outputPanel>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
Gennady Yanovsky 5
Gennady Yanovsky 5 code worked for me.
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
<apex:pageBlock >
<c:Classic_Error />
<apex:pageMessages />
<apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
<apex:outputText value="{!sampleMergeField1}"/>
<!-- Line 10 is vulnerable to XSS: NO -->
<apex:outputText value="{!sampleMergeField2}" escape="false"/>
<!-- Line 14 is vulnerable to XSS: YES -->
<apex:outputText >
{!sampleMergeField3}
</apex:outputText>
<!-- Line 19 is vulnerable to XSS: NO -->
<style>
.foo {
color: #{!sampleMergeField4};
}
</style>
<!-- Line 26 is vulnerable to XSS: YES -->
{!sampleMergeField5}
<!-- Line 32 is vulnerable to XSS: YES -->
<script>
var x = '{!sampleMergeField6}';
</script>
<!-- Line 37 is vulnerable to XSS: YES -->
<apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
<!-- Line 42 is vulnerable to XSS: YES -->
</apex:pageBlockSection>
<apex:pageBlockSection title="Code links" columns="1">
<apex:outputPanel >
<ul>
<li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>
<li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
</ul>
</apex:outputPanel>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
Thanks
Thanks