function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Amit Singh1989Amit Singh1989 

Getting XSRF issue while overriding Delete button of Custom Object with vf page

Hi friends,

I have created an object named as Schedule Task.and i am overriding its delete button with vf page(to fix navigation when record is deleted)...

code is working properly...but when i used Source code scanner tool ,i got XSRF issue for this vf page and its apex class....

 

Snapshot and source code are given below....

 

 

 

Thank you.

Amit Singh

 

XSRF issue

Severity - Serious
1. <apex:page standardController="Schedule_Task__c" extensions="DeleteScheduleTask" action="!
CheckDelete}"> //deletescheduletask.apexp

 

23. public PageReference checkDelete() //deletescheduletask.cls
...
27. Database.delete(objST);

 

<!-- VF PAGE  -->

<apex:page standardController="Schedule_Task__c" extensions="DeleteScheduleTask" action="{!CheckDelete}">
  
</apex:page>



/* Apex class */

public with sharing class DeleteScheduleTask 
{

    public Id STId;
    private final Schedule_Task__c objST;
      
    /* Standard Controller Constructor */
    public DeleteScheduleTask(ApexPages.StandardController con) 
    {
         this.objST=(Schedule_Task__c)con.getrecord();
STId = [Select Id, Schedule_Template__c from Schedule_Task__c where Id =:objST.Id].Schedule_Template__c;
    
    }
    /* ENd of Standard Controller Constructor */
    
    
    /* Method called on to Delete Schedule Task */
     public PageReference checkDelete()
     {
        try
        {
            Database.delete(objST);  
        }
        catch(System.DMLException e)
        {
            return null;
        }
         PageReference p =  new Pagereference('/apex/ScheduleTemplateTabOverride?id='+STId);
            p.setRedirect(true);
            return p;
     }



 

MattLacey.ax1065MattLacey.ax1065

I believe the standard pages and the visualforce pages are served from different domains, so it's probably being flagged due to that? 

bob_buzzardbob_buzzard

I think this is because the record is automatically deleted once the page is opened, based on the id parameter.  Thus the user could login to SFDC, go to another site which had a link:

 

https://<your instance>/apex/MyPage?id=<the_page>

 

and the record would be deleted and they would be sent to another Salesforce page, potentially without realising it.

 

The only safe way around this would be to make the user confirm the delete via a form presented by the page.  You could probably do something via Javascript as well, but that may give a malicious user a chance to tamper with the page.

Amit Singh1989Amit Singh1989

Bob,this is the code by which i am not getting any security problem

 

but the problem is that.... here page is redirecting twice.....After record is deleted, i want to go page "/apex/AdminListView?intFocus=7",

but here when record is deleted it first goes to a blank page...and then redirected to "/apex/AdminListView?intFocus=7",

how this issue can be fixed?

<apex:page standardController="Campaign" extensions="deleteCampaignNEWCustomExtension">

<script type="text/javascript">
document.body.onload = pageInit;
  
 function pageInit()
 {
  asynchInit();
 } 

</script> 



<apex:form >
 <apex:actionFunction name="asynchInit" action="{!checkDelete}"/> 
 
</apex:form>
</apex:page>








Controller

public with sharing class deleteCampaignNEWCustomExtension 
{
 private final Campaign objCampaign;

    public deleteCampaignNEWCustomExtension(ApexPages.StandardController controller) 
    {
this.objCampaign=(Campaign)controller.getrecord();

    }
  
    
     public PageReference checkDelete()
     {
        try
        {
            Database.delete(objCampaign);   
          
        }
        catch(System.DMLException e)
        {
            return null;
        }
        
   
            PageReference p =  new Pagereference('/apex/AdminListView?intFocus=7');
            p.setRedirect(true);
            return p;
        
     }
     
  

}

 

Thanks,

Amit Singh

bob_buzzardbob_buzzard

The blank page is the page the you have created.  As the javascript runs when the page is loaded, you have to render the page in the users browser before the deletion can take place.

Amit Singh1989Amit Singh1989

yes, its true,

could you please tell me .... what changes are required in my code?

 

 

 

Thanks

bob_buzzardbob_buzzard

The only thing I can think of is to push the javascript into a custom delete button, but that would only override in certain places.  Aside from that, as the activity is taking place client sideyou have to render the page.