Apex Code Development You need to sign in to do that
Don't have an account?
admintrmp Building own security measures and mechanisms
The system we have created needs to be able to display HTML from stored data. I understand that using outputText with escape set to false, poses as a security risk.
So what I managed to do was create a method that manages all the security risks and then output that value to the page. This method will do the following:
- Removes all script and iframe tags
- Removes any images from an external source
- Removes any CSS expressions
- Removes all javascript attributes (anything prefixed with "on")
- Removes javascript from links
- Removes any retrieving a source (apart from internal images sources)
- Removes all link tags to external sources.
Is it alright to do something like this and how would this come across to a security review?
If this is sounds ok to do, are there any missing vulnerabilities in that list that I may have forgotten?
It sounds like you are trying to take untrusted input and sanitize it to only allow safe html tags/attributes. Is this correct? If this is correct, I would strongly discourage you from doing so on your own. Instead you should probably leverage our built-in solutions that do it (i.e. use a Rich Text Area field - https://na1.salesforce.com/help/doc/en/fields_using_rich_text_area.htm).
If for some reason you can't use our solution, I would recommend using a white list approach, meaning, create a list of tags and attributes that you need and know that can only be used safely and only allow those. Same thing for protocols in href attributes etc.
Yoel Gluck
Product Security Team @ Salesforce.com