Apex Code Development You need to sign in to do that
Don't have an account?
cloud-development Sidebar Custom Visualforce Lookup XSS Issues
Hi All,
Previously I have created quite a few custom lookups for different objects, all being called from Visualforce pages. I recently had to have a custom lookup operate on a standard page, so thought it would be nice if I could create a generic lookup handler, and add something to the sidebar as a hompepage component, to allow it to work with standard pages.
All was going well until I tried to return the lookup value back to the field on the standard page, where I noticed an error in the console:
Unsafe JavaScript attempt to access frame with URL https://c.cs13.visual.force.com/apex/CustomLookup?frm=editPage&lookupType=003&lksearch=&lksrch=andy&txt=CF00NW0000000HBjZ&accId=001W0000004zzyP from frame with URL https://cs13.salesforce.com/a06/e?CF00N20000002GKe3=Andy+Jones&CF00N20000002GKe3_lkid=001W0000004zzyP&retURL=%2F001W0000004zzyP. Domains, protocols and ports must match.
Is there a way around the XSS being applied here? Will I never be able to call a VF page from a standard page and have JS pass values back to the parent?
Is injecting a modal or similar from the sidebar a better approach for displaying the custom lookup, to avoid having to use VF?
Appreciate any help you can provide!
Cheers,
Andrew
You can try using HTML5's new XSS feature (allows safe XSS message-passing). You would need to be able to inject code into the native page to add a "message" handler ("onmessage"), then you can call window.postMessage() from the VF page; the "onmessage" handler would be able to pass the values safely back into the page. I believe all latest-version browsers from major players in the browser market all support this mechanism.