function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Uttpal_ChandraUttpal_Chandra 

Stored XSS in wrapper Class

Hi all,

I got a Stored XSS  error in the wrapper class method and I am using the wrapper class variable on the VF page in apex:repeat.

Anyone know why it is happening...??
mukesh guptamukesh gupta
Hi Uttpal,

Cross-site scripting(XSS) is a vulnerability that occurs when an attacker can insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page viewed by other users. A malicious script inserted into a page in this manner can hijack the user’s session, submit unauthorized transactions as the user, steal confidential information


Mechanism provided in VF to Overcome this issue

1)Built in Auto Encoding
All merge-fields are always auto HTML encoded provided they
i)do not occur within a or tag
ii)do not occur within an apex tag with the escape='false' attribute
2)Built in VisualForce encoding functions

The platform provides the following VisualForce encoding functions:

JSENCODE -- performs string encoding within a Javascript String context
HTMLENCODE -- encodes all characters with the appropriate HTML character references so as to avoid interpretation of characters as markup.
URLENCODE -- performs URI encoding (% style encoding) within a URL component context
JSINHTMLENCODE -- a convenience method that is equivalent to the composition of HTMLENCODE(JSENCODE(x))
There is a detailed article in below link
https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting
Sample example 
<div onclick="this.innerHTML='Howdy {!Account.Name}'">Click me!</div>


The above is vulnerable
Lets see how we use Encode functions to rectify this
<!-- safe --> 
<div onclick="this.innerHTML='Howdy {!JSENCODE(HTMLENCODE(Account.Name))}'">Click me!</div>


The above is safe since we have use HTMLENCODE AND JSENCODE to encode and hence its hard for attacker to inject script or insert iframe
Edit
For your code try like below 
if('{!JSENCODE(sfield)}' !=''){ $elem.select2("data", {id: "{!JSENCODE(new)}", text: "{!JSENCODE(sfield)}"}) }


Edit 2
Use the String function to wrap the sfiled because JSENCODE only accepts TEXT 
if('{!JSENCODE(String(sfield))}' !=''){ $elem.select2("data", {id: "{!JSENCODE(new)}", text: "{!JSENCODE(String(sfield))}"}) }

if you need any assistanse, Please let me know!!


Kindly mark my solution as the best answer if it helps you.

Thanks
Mukesh
Uttpal_ChandraUttpal_Chandra
Hi Mukesh,

I had already tried JSENCODE & JSINHTMLENCODE both did not work.

See below code 
<apex:repeat value="{!wrapContactList}" var="c">
                                            <TR>
												<!--log a call -->
                                                <td style="{!IF(client != 'Client_Campaign','text-align:center;','display:none;')}">
                                                    <apex:commandButton styleClass="slds-button slds-button--brand" value="Call" onclick="return senddatafortask('{!JSINHTMLENCODE(c.Con.Id)}');" status="spinnerStatus"/>
                                                </td>
											</TR>
</apex:repeat>