+ Start a Discussion
GangaGanga 

how to resolve stored XSS .... in an apex class

Hi friends
I am getting a issue on Stored XSS in my class
can any one help me out   I am new to SFDC
showing at line .....

coa = [SELECT Id, LR_Status__c, Requirement__c, Status1__c,LR_Status_Date__c,MR_Status_Date__c, LR_Date__c,
                 Candidate__c, MR_Status__c,Requirement_Owner_Email__c, R_Comments__c, LR_Comments__c, MR_Comments__c,
                 Employer_s_Authorization__c, Manager_Email_ID__c, Submitted_to_Client__c, Submitted_to_Client_Date__c,
                 Interview_Scheduled__c, Interview_Scheduled_Date__c, Interview_Accepted__c, Interview_Accepted_Date__c,
                 Client_Offered__c, Client_Offer_Date__c, Comments__c, Client_Interviewed__c, Client_Interview_Date__c,
                 Candidate_started__c, CreatedDate,started_date__c, LR_Email__c,lr_id__c, CreatedById, Name, Last_Name__c,Contract_End_Date__c,MR_Status_date1__c FROM
                 Candidate_Mapping__c where id =:cid];
                
                
             
               uEmailR = [Select Email,Manager_Email__c FROM User WHERE ID =:coa.CreatedById];      
         can = [Select Name,CreatedDate From Candidate__c WHERE ID =:coa.Candidate__c]; 
          subCandidate =string.Valueof(can.Name) + ' ' + string.Valueof(coa.Last_Name__c);       
         REmail = uEmailR.Email;         
         LREmail = uEmailR.Manager_Email__c;        
         MREmail = string.Valueof(coa.Requirement_Owner_Email__c);
        
         strCandidateStarted = coa.started_date__c;
this is my code i am getting error on these lines ......COa and can



Thanks in advance
Vinita_SFDCVinita_SFDC
Hello,

To avoide XSS use escape function.

Solution can be one of the followings:

>Try to use STATIC queries as much as possible. STATIC query has inbuilt escaping.

>If dynamic query is needed , then all the search parameters should use escapeSingleQuotes() function.like
List<Account> listAccount = Database.query('Select id from Account where Name = \'' + String.escapeSingleQuotes(nameField) + '\' ');

Referred: http://simplyforce.blogspot.in/2011/03/salesforce-applications-with-security_14.html