+ Start a Discussion
Ram SRam S 

Fix Potential Cross-site Scripting Vectors

Hi All,
If any one finds difficulties in passing this challenge plz make changes in the VF page:
<apex:outputText value="{!sampleMergeField1}"/> <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/> <apex:outputText > {!sampleMergeField3} </apex:outputText> <script> document.write('{!JSINHTMLENCODE(sampleMergeField4)}'); </script> {!sampleMergeField5} <script> var x = '{!JSENCODE(sampleMergeField6)}'; </script> <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>

Thanks,
Ram
Best Answer chosen by Ram S
Ram SRam S
<apex:outputText value="{!sampleMergeField1}"/> <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/> <apex:outputText > {!sampleMergeField3} </apex:outputText> <script> document.write('{!JSINHTMLENCODE(sampleMergeField4)}'); </script> {!sampleMergeField5} <script> var x = '{!JSENCODE(sampleMergeField6)}'; </script> <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>

All Answers

Ram SRam S
<apex:outputText value="{!sampleMergeField1}"/> <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/> <apex:outputText > {!sampleMergeField3} </apex:outputText> <script> document.write('{!JSINHTMLENCODE(sampleMergeField4)}'); </script> {!sampleMergeField5} <script> var x = '{!JSENCODE(sampleMergeField6)}'; </script> <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
This was selected as the best answer
mahamed raheemmahamed raheem
For me getting below error

User-added image
Pavlo ShchurPavlo Shchur
Hi Mahamed Raheem, make sure you took into account the suggestion which was provided by Ram S. Otherwise, show your markup.
Mahesh_GollaMahesh_Golla
HI Raheem,
If you are doing "Identify Potential Cross-Site Scripting Vectors"  unit challenge, you just need to edit the comment lines to either YES or NO.
So the answer will be:
Line 10: <!-- sampleMergeField1 is vulnerable to XSS: NO -->
Line 14: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
Line 20: <!-- sampleMergeField1 is vulnerable to XSS: NO -->
Line 28: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
Line 32: <!-- sampleMergeField1 is vulnerable to XSS: NO -->
Line 38: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
Line 42: <!-- sampleMergeField1 is vulnerable to XSS: YES -->

 
Yves Asselin 3Yves Asselin 3
I tell you... the guys that write these are someting else... I just dont understand things like #4...


 <style>
              .foo {
                     color: #{!sampleMergeField4};
                 }
</style>

Following RAM 5's answer  I added the following code but I just dont understand how we were supposed to figure this out...

            <style>
                .foo {
                    color: document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
                }
            </style>

Anyway, this code worked for me...


<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS:YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS:NO -->
       
       
            <style>
                .foo {
                    color: document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS:YES -->
             
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS:NO -->
            
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS:YES -->
            
            
            <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS:YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>
Kundan Shukla 3Kundan Shukla 3
Hey Peers,

Update to this question and its answer. 
You do not need to put the additional functions or wrap the merg fields in the addtional functions as mentioned above.

What you need to do is, mention the correct merge field name in the comment and specify whether it is vulnerable or not.
For example, in case of following merge field.

<apex:outputText value="{!sampleMergeField2}" escape="false"/>
<!-- sampleMergeField2 is vulnerable to XSS: YES -->

Note the comment. Mention correct merge field name.

Hope this help you. Certainly worked for me. 
Salman Khan 180Salman Khan 180
Thanks for sharing this post, it was great reading this article! would like to know more! keep in touch and stay connected! Also Check here
https://ividmateapp.com
Avinash SolankiAvinash Solanki
is there problem with this VF code. it is not working fro Solution. can anybody explain me why is it not working.? below is my code
<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
    <apex:pageBlock >
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
            
            
            <apex:outputText value="{!(sampleMergeField1)}"/>


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>


            <apex:outputText >
                {!(sampleMergeField3)}
            </apex:outputText>
       
       
            <script>
                document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
            </script>
             
            
            {!(sampleMergeField5)}
            
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}'; 
            </script>
            
            
            <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
                     

        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>
James Mclane 31James Mclane 31
Kundan and others, the question is specific to the "Fix Potential Cross-site Scripting Vectors" module, not the "Identify Potential Cross-site Scripting Vectors" module. The answer provided by Ram S above is the proper solution.
Gennady Yanovsky 5Gennady Yanovsky 5
Keep in mind that this is for - Discover Built-in XSS Protections in Lightning Platform Section -

Here is the correct code to load into your VF page:
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->

            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS:YES -->

            <apex:outputText > {!sampleMergeField3} </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS:NO -->
       
            <style>
                .foo {
                    color: document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS:YES -->
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS:YES -->
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS:YES -->
      
            <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS:YES -->
 
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>
B DB D
the above code works for me thanks 
Gennady Yanovsky 5
ALONSO RAMIREZALONSO RAMIREZ
I was looking for help on Discover Built-in XSS Protections in Lightning Platform and 
Gennady Yanovsky 5 code worked for me.
Matt Holdgate 1Matt Holdgate 1
I got the answers right but obviously the spacing and things got it confused. Thanks @Gennady
sumit verma 43sumit verma 43
Working code -- if you still face issue then change <!-- Line 32 is vulnerable to XSS: YES --> with <!-- Line 32 is vulnerable to XSS: NO -->

<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">    
              
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- Line 10 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- Line 14 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- Line 19 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- Line 26 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- Line 32 is vulnerable to XSS: YES -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- Line 37 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- Line 42 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>
satya prasad 60satya prasad 60
Hi! Can any one please provide me with complete solution?
Thanks
 
satya prasad 60satya prasad 60
Identify Potential Cross-Site Scripting Vectors.
Thanks