You need to sign in to do that
Don't have an account?
Niraj Ganani
Security review
In security review of check marx I got Reflected Xss issue on the below line
<script type="text/javascript" language="javascript">
//initActions();
proceccOptions('{!questionType}');
</script>
<script type="text/javascript" language="javascript">
//initActions();
proceccOptions('{!questionType}');
</script>
Cross-site scripting(XSS) is a vulnerability that occurs when an attacker can insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page viewed by other users. A malicious script inserted into a page in this manner can hijack the user’s session, submit unauthorized transactions as the user, steal confidential information
Mechanism provided in VF to Overcome this issue
1)Built in Auto Encoding
All merge-fields are always auto HTML encoded provided they
ii)do not occur within an apex tag with the escape='false' attribute
2)Built in VisualForce encoding functions
The platform provides the following VisualForce encoding functions:
There is a detailed article in below link
https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting
Sample example
The above is vulnerable
Lets see how we use Encode functions to rectify this
The above is safe since we have use HTMLENCODE AND JSENCODE to encode and hence its hard for attacker to inject script or insert iframe
Try to update your code like below
Let us know if this will help you
Thanks
Amit Chaudhary
All Answers
Cross-site scripting(XSS) is a vulnerability that occurs when an attacker can insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page viewed by other users. A malicious script inserted into a page in this manner can hijack the user’s session, submit unauthorized transactions as the user, steal confidential information
Mechanism provided in VF to Overcome this issue
1)Built in Auto Encoding
All merge-fields are always auto HTML encoded provided they
ii)do not occur within an apex tag with the escape='false' attribute
2)Built in VisualForce encoding functions
The platform provides the following VisualForce encoding functions:
There is a detailed article in below link
https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting
Sample example
The above is vulnerable
Lets see how we use Encode functions to rectify this
The above is safe since we have use HTMLENCODE AND JSENCODE to encode and hence its hard for attacker to inject script or insert iframe
Try to update your code like below
Let us know if this will help you
Thanks
Amit Chaudhary
<p>{!mergefield}</p>
Is this in XSS vulnerable?