function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Saurabh Kulkarni 34Saurabh Kulkarni 34 

apexpages.currentpage().getparameters().get('name') XSS error

Hello,

I have two visualforce pages through which i'm navigating,, during the navigation i'm putting some values in the page2 URL so that i can accesss them in page2.. As show below..
  
//In page 1 controller 
 public pageReference callPage2()
{
  PageReference pr = new PageReference('/apex/Page2?name='+value);
  pr.setRedirect(true);
  return pr;
}

// in page2 controller

public page2Controller() 
{
  String receivedName = apexpages.currentpage().getparameters().get('name');

  xyz__c x = [select id from xyz__c where name=:receivedName];

}

However, when i submitted the code to salesforce security scanner i'm getting XSS error for this code..
This might be because of the use of page parameters in the SOQL query.
What can be the solution to this?? Is there any way by which I can encode or verify the page parameters for vulnerability in the apex code..

Please help!
Thanks in advance,
Saurabh
 

hpmohanhpmohan
String receivedName = apexpages.currentpage().getparameters().get('value');
srlawr uksrlawr uk
Do the two pages use the same standard controller/object type? If they do, what you actually want to do is user
  
pr.setRedirect(false);

and then the standardController will actually be reused in the second page and you can just access the same record again in your extension (just using controller.getRecord) like you usually do).

If they are different object types between the two pages, I suppose what you have done is the typical way one would approach this, I've only been through the security scanner a couple of times myself.. and I guess I can see why this might be a vunerability (you could pass any URL into page 2 and attempt to load xyz__c records). Do you definitely have "with sharing" on your second controller, to mitigate the effect of this?
 
TedLiuTedLiu
Try this 
receivedName  = string.escapesinglequotes(receivedName);

or install managed/umanaged package ESAPI from https://code.google.com/archive/p/force-dot-com-esapi/wikis/GettingStarted.wiki

receivedName  = ESAPI.encoder().SFDC_HTMLENCODE(receivedName)

after this run security scanner again and let us know