function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
JuanBessJuanBess 

Unescape HTML caused Security Review issue

I'm looking to rendered a Visualforce Page as a Doc File.

On the content of the document i need to include the html stored in the database (entered by a text area with the standard rich text editor). The problem is that i failed the security review because of this.

 

Any help or work around to pass the review?

 

This is where it failed:

 

50. public FooController() //FooController.cls
...
53. currentId = ApexPages.currentPage().getParameters().get('cId');
1. <!-- //Foo.page
...
412. <div><apex:outputText escape="false" value="{!fooObj.richText__c}"/></div>

 

 

I also tried to wrap my object with an inner class to avoid mapping directly the stored field, but without luck....

 

Thanks in advance,

J.

 

 

Ispita_NavatarIspita_Navatar

Well in case I am understanding your question correctly your given code snippet failed the security review of salesforce.

If that is the case you can do eactly what I did in my code, I am attaching the snippet below:-

 

var strObj1Id="{!SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(Object1Id, '&','&#38;'), '>','&#62;'), '<','&#60;'),'\'','&#39;'),'"','&#34;')}";//To Prevent XSS attack added on 08/06/2009.
var arrSelectedObj2 = {!SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(GETRECORDIDS($ObjectType.Object2 ), '&','&#38;'), '>','&#62;'), '<','&#60;'),'\'','&#39;'),'"','&#34;')};//To Prevent XSS attack added on 08/06/2009.

 

This is  what I had done to make my code acceptable from security stand-point.

This was done in javascript snippet, but it will be a pointer nevertheless.

 

Did this answer your question? If not, let me know what didn't work, or if so, please mark it solved.