Apex Code Development You need to sign in to do that
Don't have an account?
Rakesh E How to resolve "cross site scripting" security threat for array variables
Hi,
we are using javascript in our VF page which accesses the value of controller varible using merge fileds as below
var temp = {!itemList};
To avoid XSS problem we want to use it as
var temp = '{!JSENCODE(itemList)}'
but as the controller variable "itemList" is of type List we are getting an error while saving. but for primitive varibles we are not getting any error.
list declaration in Controller :
List<string> itemList{get;set}
please can anyone suggest what should be done for arrays.
thank you
It appears that merging a list calls an internal toString that is not officially exposed and therefore can't be used with JSENCODE.
Additionally, I am a bit confused as to why you would want to get an array and assign it to a string (or an array to that matter). Your original example is assigning it as an Array (VF converts the array to an output string representing what would become a JS array with your string as object names, not as string). When you try to use JSENCODE you wrap it with single quotes.
Here is the output of your original example if the array included two strings "abc" and "def":
var temp = [abc, def];
If you are trying to get the array of strings from VF and add them to an array of strings in JS (var temp = ['abc', 'def'];) you probably want to create your output string in the controller and escape using the Force.com ESAPI JSENCODE method, or using VF apex:repeat. In both approaches, you should perform JSENCODE on each item on the array.
var temp = new Array();
<apex:repeat value="{!itemList}" var="item">
temp.push('{!JSENCODE(item)}');
</apex:repeat>
I recommend using VF and apex:repeat.
Yoel Gluck
Product Security Team @ Salesforce.com