+ Start a Discussion
Ankur Saini 9Ankur Saini 9 

Query: Stored XSS : Security Code Review

<apex:repeat value="{!listOfShowSettings}" var="settObj">
                                     <td class="border1" style="text-align:center;">{!i}</td>
                                     <td class="border1" style="text-align:center;"><a href="#!" onclick="document.getElementById('Multiple').style.display='none';document.getElementById('Nested').style.display='none';selectJobToShow('{!settObj.dataLoaderObject.Job_Name__c}')" >{!settObj.dataLoaderObject.Job_Name__c}</a></td>
                                     <td class="border1" style="text-align:center;">{!settObj.noOfObject}</td>
                                     <td class="border1" style="text-align:center;">{!settObj.dataLoaderObject.Query_Type__c}</td>
                                     <td class="border1" style="text-align:center;">Temp</td>
                                     <apex:variable var="i" value="{!i+1}"/>

NagendraNagendra (Salesforce Developers) 
Hi Ankur,

Cross-site scripting(XSS): is a vulnerability that occurs when an attacker can insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page viewed by other users. A malicious script inserted into a page in this manner can hijack the user’s session, submit unauthorized transactions as the user, steal confidential information.

Mechanism provided in VF to Overcome this issue

1)Built in Auto Encoding:
  All merge fields are always auto HTML encoded provided they
i)do not occur within an or tag
ii)do not occur within an apex tag with the escape='false' attribute

2)Built in VisualForce encoding functions:
The platform provides the following VisualForce encoding functions:

JSENCODE -- performs string encoding within a Javascript String context
HTMLENCODE -- encodes all characters with the appropriate HTML character references so as to avoid interpretation of characters as markup.
URLENCODE -- performs URI encoding (% style encoding) within a URL component context
JSINHTMLENCODE -- a convenience method that is equivalent to the composition of HTMLENCODE(JSENCODE(x))

There is a detailed article in below link

SampleExample :
<div onclick="this.innerHTML='Howdy {!Account.Name}'">Click me!</div>
The above is vulnerable.
Lets see how we use Encode functions to rectify this .
<!-- safe -->
 <div onclick="this.innerHTML='Howdy {!JSENCODE(HTMLENCODE(Account.Name))}'">Click me!</div>
The above is safe since we have use HTMLENCODE AND JSENCODE to encode and hence it's hard for attacker to inject script or insert iframe.

Please make sure you follow the same while submitting it for review.