function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
S WittensteinS Wittenstein 

Prevent XSS in Lightning Platform Applications

I am attempting to complete Prevent XSS in Lightning Platform Applications.

The only feedback the challenge provides is: "It doesn't appear that you've fixed all of the merge fields to prevent cross-site scripting vectors. Please check your code again.".

This feedback is provided even if I delete all the code. I've provided what I think is the correct answer, but no dice. 

Can someone tell me what I've got wrong? I've spent more than 2 hours on this 45 minute exercise.

Code as follows:

<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
                        
            <apex:outputText value="{!sampleMergeField1}"/>
            <!--apex:outputText value="{!sampleMergeField1}"/-->
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
            <!--apex:outputText value="{!sampleMergeField2}" escape="false"/-->
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!--apex:outputText >
                {!sampleMergeField3}
            </apex:outputText-->
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <script>
                document.write('{!JSENCODE(sampleMergeField4)}');
            </script>
            <!--style>
                document.write('{!JSENCODE(sampleMergeField4)}');
            </style-->
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->

             
            
            {!JSINHTMLENCODE(sampleMergeField5)}
            <!--{!sampleMergeField5}-->
            <!-- sampleMergeField5 is vulnerable to XSS: YES -->
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            <!--script>
                var x = '{!sampleMergeField6}';
            </script-->
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            <apex:outputLabel value="{!JSINHTMLENCODE(sampleMergeField7)}" escape="false"/>
            <!--apex:outputLabel value="{!sampleMergeField7}" escape="false"/-->
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->      


        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>

Best Answer chosen by S Wittenstein
Agustin BAgustin B
hi, try with this one:
<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
            
            
            <apex:outputText value="{!sampleMergeField1}"/>


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>


            <apex:outputText >
                {!sampleMergeField3}  ////don't require html encoding as its provided by lightning platform
            </apex:outputText>
       
       
            <script>
                document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
            </script>
             
            
            {!sampleMergeField5}  //don't require html encoding as its provided by lightning platform
            
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            
            
            <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
                     

        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>
if it helps please like and mark as correct, as it may help others.
 

All Answers

AbhishekAbhishek (Salesforce Developers) 
Hi Sebastian,

For all the Trailhead issues please report it here,

https://trailhead.salesforce.com/help?support=home#

https://trailhead.salesforce.com/help

So that our trailhead support engineers will look into it and get back to you.

I hope you find the above information is helpful. If it does, please mark as Best Answer to help others too.

Regards,
​​​​​​​Salesforce Support.

 
Agustin BAgustin B
hi, try with this one:
<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
            
            
            <apex:outputText value="{!sampleMergeField1}"/>


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>


            <apex:outputText >
                {!sampleMergeField3}  ////don't require html encoding as its provided by lightning platform
            </apex:outputText>
       
       
            <script>
                document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
            </script>
             
            
            {!sampleMergeField5}  //don't require html encoding as its provided by lightning platform
            
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            
            
            <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
                     

        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>
if it helps please like and mark as correct, as it may help others.
 
This was selected as the best answer
S WittensteinS Wittenstein

Thank you Agustin B, that worked.

But I'm confused as to why Line 27 didn't need encoding, as that one is identical to a line in the "Built In XSS Protections Challenge", which I was required to mark as vulnerable to XSS in order to complete.