Apex Code Development You need to sign in to do that
Don't have an account?
ShaikA How to encode xyz to avoid Cross-site Scripting (XSS)
Hi All,
Please let me know how to endode "xyz" in outputlink to avoid Cross-site Scripting (XSS).
<apex:repeat var="xyz" value="{!RelationshipName}">
<apex:outputLink onclick="window.open('/apex/MyVfPage?id={!JSENCODE(Account.Id)}&relName={!xyz}','newwin', 'width=500, height=250, resizable=No, scrollbars=yes'); return false;">
<font size='2'>{!xyz}</font>
</apex:outputLink>
</apex:repeat>
Thanks in Advance
Shaik
Please let me know how to endode "xyz" in outputlink to avoid Cross-site Scripting (XSS).
<apex:repeat var="xyz" value="{!RelationshipName}">
<apex:outputLink onclick="window.open('/apex/MyVfPage?id={!JSENCODE(Account.Id)}&relName={!xyz}','newwin', 'width=500, height=250, resizable=No, scrollbars=yes'); return false;">
<font size='2'>{!xyz}</font>
</apex:outputLink>
</apex:repeat>
Thanks in Advance
Shaik
How is RelationshipName being populated? Is it exploitable? It could be if it is something to which the user is supplying values (reflected XSS) or something that is being populated from the database, as a merge field or a custom label for example (stored XSS). As I understand from your question it is but just want to be sure.
This is Javascript context, so the only safe place to put a variable that is controlled by the user in is inside a string, and always surrounding it with JSENCODE. Salesforce escapes all double-quotes already, so there's no need to do an additional HTMLENCODE to avoid it breaking out into HTML context. You already have it in a string, so I think with JSENCODE it should be enough.
Regards.