+ Start a Discussion
Sebastian Wittenstein 10Sebastian Wittenstein 10 

Prevent XSS in Lightning Platform Applications

I am attempting to complete Prevent XSS in Lightning Platform Applications.

The only feedback the challenge provides is: "It doesn't appear that you've fixed all of the merge fields to prevent cross-site scripting vectors. Please check your code again.".

This feedback is provided even if I delete all the code. I've provided what I think is the correct answer, but no dice. 

Can someone tell me what I've got wrong? I've spent more than 2 hours on this 45 minute exercise.

Code as follows:

<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
                        
            <apex:outputText value="{!sampleMergeField1}"/>
            <!--apex:outputText value="{!sampleMergeField1}"/-->
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
            <!--apex:outputText value="{!sampleMergeField2}" escape="false"/-->
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!--apex:outputText >
                {!sampleMergeField3}
            </apex:outputText-->
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <script>
                document.write('{!JSENCODE(sampleMergeField4)}');
            </script>
            <!--style>
                document.write('{!JSENCODE(sampleMergeField4)}');
            </style-->
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->

             
            
            {!JSINHTMLENCODE(sampleMergeField5)}
            <!--{!sampleMergeField5}-->
            <!-- sampleMergeField5 is vulnerable to XSS: YES -->
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            <!--script>
                var x = '{!sampleMergeField6}';
            </script-->
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            <apex:outputLabel value="{!JSINHTMLENCODE(sampleMergeField7)}" escape="false"/>
            <!--apex:outputLabel value="{!sampleMergeField7}" escape="false"/-->
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->      


        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>

Best Answer chosen by Sebastian Wittenstein 10
Agustin BAgustin B
hi, try with this one:
<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
            
            
            <apex:outputText value="{!sampleMergeField1}"/>


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>


            <apex:outputText >
                {!sampleMergeField3}  ////don't require html encoding as its provided by lightning platform
            </apex:outputText>
       
       
            <script>
                document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
            </script>
             
            
            {!sampleMergeField5}  //don't require html encoding as its provided by lightning platform
            
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            
            
            <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
                     

        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>
if it helps please like and mark as correct, as it may help others.
 

All Answers

AbhishekAbhishek (Salesforce Developers) 
Hi Sebastian,

For all the Trailhead issues please report it here,

https://trailhead.salesforce.com/help?support=home#

https://trailhead.salesforce.com/help

So that our trailhead support engineers will look into it and get back to you.

I hope you find the above information is helpful. If it does, please mark as Best Answer to help others too.

Regards,
​​​​​​​Salesforce Support.

 
Agustin BAgustin B
hi, try with this one:
<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
            
            
            <apex:outputText value="{!sampleMergeField1}"/>


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>


            <apex:outputText >
                {!sampleMergeField3}  ////don't require html encoding as its provided by lightning platform
            </apex:outputText>
       
       
            <script>
                document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
            </script>
             
            
            {!sampleMergeField5}  //don't require html encoding as its provided by lightning platform
            
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            
            
            <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
                     

        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>
if it helps please like and mark as correct, as it may help others.
 
This was selected as the best answer
Sebastian Wittenstein 10Sebastian Wittenstein 10

Thank you Agustin B, that worked.

But I'm confused as to why Line 27 didn't need encoding, as that one is identical to a line in the "Built In XSS Protections Challenge", which I was required to mark as vulnerable to XSS in order to complete.