Apex Code Development You need to sign in to do that
Don't have an account?
Daniel99 Custom Labels And XSS
Hello,
I have a question about custom labels. If a custom label is defined that contains an XSS attack (say by a disgruntled developer on his way out the door), is there anything beyond what the apex:output* tag provides to prevent the XSS from succeeding? In other words, if Label.bad is set to the string alert('xss'), and in the output is wrapped like
<apex:outputText escape="false" value="{!Label.bad}">
or is just raw like
<p>{!Label.bad}</p>
will the attack succeed? Is there anything that prevents a malicious user from putting Javascript and/or markup into custom labels in the first place? Any additional data sanitization that occurs before the label is stored?
Thanks,
Daniel
Hi Daniel,
In general, protecting against malicious insiders can be challenging, especially in the case of developers. Since an XSS attack is essentially JavaScript injection, and a developer has the ability to write JavaScript directly, trying to prevent a developer from intentionally writing xss-vulnerable code is a losing battle.
The best advice we can offer is to have regular code reviews.
In the first example you give, notice that the developer has intentionally set escape="false". By default, outputText is escaped properly; however, if a developer chooses to turn off this escaping (as in your example), and no other output encoding is done, then the page will be vulnerable to xss. There is no input validation done on the custom label name, since we rely on output encoding.
The second example you give is actually safe, since the default escaping will be performed on {!Label.bad}.
For more on this, I encourage you to check out our Secure Coding Guidelines on XSS: http://wiki.developerforce.com/page/Secure_Coding_Cross_Site_Scripting#Apex_and_Visualforce_Applications
I hope this helps!
Neal Harris
Product Security Team @ Salesforce.com