You need to sign in to do that
Don't have an account?
Prevent XSS in Lightning Platform Applications
I am attempting to complete Prevent XSS in Lightning Platform Applications.
The only feedback the challenge provides is: "It doesn't appear that you've fixed all of the merge fields to prevent cross-site scripting vectors. Please check your code again.".
This feedback is provided even if I delete all the code. I've provided what I think is the correct answer, but no dice.
Can someone tell me what I've got wrong? I've spent more than 2 hours on this 45 minute exercise.
Code as follows:
<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
<apex:pageBlock >
<c:Classic_Error />
<apex:pageMessages />
<apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
<c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
<apex:outputText value="{!sampleMergeField1}"/>
<!--apex:outputText value="{!sampleMergeField1}"/-->
<!-- sampleMergeField1 is vulnerable to XSS: NO -->
<apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
<!--apex:outputText value="{!sampleMergeField2}" escape="false"/-->
<!-- sampleMergeField2 is vulnerable to XSS: YES -->
<apex:outputText >
{!sampleMergeField3}
</apex:outputText>
<!--apex:outputText >
{!sampleMergeField3}
</apex:outputText-->
<!-- sampleMergeField3 is vulnerable to XSS: NO -->
<script>
document.write('{!JSENCODE(sampleMergeField4)}');
</script>
<!--style>
document.write('{!JSENCODE(sampleMergeField4)}');
</style-->
<!-- sampleMergeField4 is vulnerable to XSS: YES -->
{!JSINHTMLENCODE(sampleMergeField5)}
<!--{!sampleMergeField5}-->
<!-- sampleMergeField5 is vulnerable to XSS: YES -->
<script>
var x = '{!JSENCODE(sampleMergeField6)}';
</script>
<!--script>
var x = '{!sampleMergeField6}';
</script-->
<!-- sampleMergeField6 is vulnerable to XSS: YES -->
<apex:outputLabel value="{!JSINHTMLENCODE(sampleMergeField7)}" escape="false"/>
<!--apex:outputLabel value="{!sampleMergeField7}" escape="false"/-->
<!-- sampleMergeField7 is vulnerable to XSS: YES -->
</apex:pageBlockSection>
<apex:pageBlockSection title="Code links" columns="1">
<apex:outputPanel >
<ul>
<li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>
<li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
</ul>
</apex:outputPanel>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
All Answers
For all the Trailhead issues please report it here,
https://trailhead.salesforce.com/help?support=home#
https://trailhead.salesforce.com/help
So that our trailhead support engineers will look into it and get back to you.
I hope you find the above information is helpful. If it does, please mark as Best Answer to help others too.
Regards,
Salesforce Support.
Thank you Agustin B, that worked.
But I'm confused as to why Line 27 didn't need encoding, as that one is identical to a line in the "Built In XSS Protections Challenge", which I was required to mark as vulnerable to XSS in order to complete.