function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Niraj GananiNiraj Ganani 

Security review

In security review of check marx I got Reflected Xss issue on the below line 
<script type="text/javascript" language="javascript"> 
            //initActions();                                        
            proceccOptions('{!questionType}');
 </script>
Best Answer chosen by Niraj Ganani
Amit Chaudhary 8Amit Chaudhary 8
Lets first understand what is XSS and see what are the possible ways to prevent this

Cross-site scripting(XSS) is a vulnerability that occurs when an attacker can insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page viewed by other users. A malicious script inserted into a page in this manner can hijack the user’s session, submit unauthorized transactions as the user, steal confidential information



Mechanism provided in VF to Overcome this issue
1)Built in Auto Encoding

All merge-fields are always auto HTML encoded provided they
i)do not occur within a or tag
ii)do not occur within an apex tag with the escape='false' attribute

2)Built in VisualForce encoding functions
The platform provides the following VisualForce encoding functions: 
JSENCODE -- performs string encoding within a Javascript String context

HTMLENCODE -- encodes all characters with the appropriate HTML character references so as to avoid interpretation of characters as markup.

URLENCODE -- performs URI encoding (% style encoding) within a URL component context

JSINHTMLENCODE -- a convenience method that is equivalent to the composition of HTMLENCODE(JSENCODE(x))

There is a detailed article in below link
https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting

Sample example 
<div onclick="this.innerHTML='Howdy {!Account.Name}'">Click me!</div>

The above is vulnerable
Lets see how we use Encode functions to rectify this 
<!-- safe -->
 <div onclick="this.innerHTML='Howdy {!JSENCODE(HTMLENCODE(Account.Name))}'">Click me!</div>

The above is safe since we have use HTMLENCODE AND JSENCODE to encode and hence its hard for attacker to inject script or insert iframe


Try to update your code like below 
<script type="text/javascript" language="javascript"> 
            //initActions();                                        
            proceccOptions('{! JSENCODE(HTMLENCODE(questionType))}');
 </script>

Let us know if this will help you

Thanks
Amit Chaudhary
 

All Answers

Amit Chaudhary 8Amit Chaudhary 8
Lets first understand what is XSS and see what are the possible ways to prevent this

Cross-site scripting(XSS) is a vulnerability that occurs when an attacker can insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page viewed by other users. A malicious script inserted into a page in this manner can hijack the user’s session, submit unauthorized transactions as the user, steal confidential information



Mechanism provided in VF to Overcome this issue
1)Built in Auto Encoding

All merge-fields are always auto HTML encoded provided they
i)do not occur within a or tag
ii)do not occur within an apex tag with the escape='false' attribute

2)Built in VisualForce encoding functions
The platform provides the following VisualForce encoding functions: 
JSENCODE -- performs string encoding within a Javascript String context

HTMLENCODE -- encodes all characters with the appropriate HTML character references so as to avoid interpretation of characters as markup.

URLENCODE -- performs URI encoding (% style encoding) within a URL component context

JSINHTMLENCODE -- a convenience method that is equivalent to the composition of HTMLENCODE(JSENCODE(x))

There is a detailed article in below link
https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting

Sample example 
<div onclick="this.innerHTML='Howdy {!Account.Name}'">Click me!</div>

The above is vulnerable
Lets see how we use Encode functions to rectify this 
<!-- safe -->
 <div onclick="this.innerHTML='Howdy {!JSENCODE(HTMLENCODE(Account.Name))}'">Click me!</div>

The above is safe since we have use HTMLENCODE AND JSENCODE to encode and hence its hard for attacker to inject script or insert iframe


Try to update your code like below 
<script type="text/javascript" language="javascript"> 
            //initActions();                                        
            proceccOptions('{! JSENCODE(HTMLENCODE(questionType))}');
 </script>

Let us know if this will help you

Thanks
Amit Chaudhary
 
This was selected as the best answer
Niraj GananiNiraj Ganani
Thank you amit...! Your solution worked in my org. :-)
Sikha Ashok BaidSikha Ashok Baid

<p>{!mergefield}</p> 

Is this in XSS vulnerable?
Niraj GananiNiraj Ganani
No silkha I don't think that it is XSS vulnerable. because you are not passing the parameters to the function or performing any action. You are only displaying the value.