+ Start a Discussion
Saurabh Kulkarni 34Saurabh Kulkarni 34 

Using JSENCODE and HTMLENCODE for PageBlockTable columns

Hello,

My VF code is something like below:
<apex:pageBlockTable>
 <apex:column title="{!Config.Name}~Click to Edit" styleClass="NameClass" width="600px" value="{!Config.Name}"/>
.
</apex:pageBlockTable>

However, i'm getting stored XSS error from Salesforce Security Scanner.. I tried modifying the value of column somehting like 
value="{!HTMLENCODE(Config.Name)}"  But i'm getting this : errorSyntax error. Missing ')' after Config

Is there any special syntax that I need to use?? Or there can be any other solution to this??

Thanks!!
Saurabh
Andy BoettcherAndy Boettcher
What are you passing in Config.Name?
Saurabh Kulkarni 34Saurabh Kulkarni 34
Thanks Andy for your reply.
Let me give you the complete idea: 
//Visualforce page:

<apex:pageBlockTable value="{!RequestList}" var="Config">
<apex:column title="{!Config.Name}~Click to Edit" styleClass="NameClass" width="600px" value="{!Config.Name}"/> .
</apex:pageBlockTable>

//In controller the code somehting like:
public class controller{
List<RequestData> rdData = new List<RequestData>();
    public controller(){
     AggregateResult[] groupedResults = [SELECT name,count(id)
                                                           FROM xyz__c GROUP BY Name];
        
        for(AggregateResult ar : groupedResults)  {
            
            RequestData rd = new RequestData ();
            rd.ReqName = (String)ar.get('Name');
            rd.TotalNumber    = (Integer)ar.get('expr0');
            rdData.add(rd);
        }
}
  public List<RequestData> getRequestList(){
        return rdData;
    }
 public class RequestData
{
 public String Name{get;set;} 
 public String TotalNumber{get;set;}
}

 }

 
Andy BoettcherAndy Boettcher
Ok - just wanted to make sure you're not passing any weird JS code or anything.  Here's what I would try doing:
<apex:pageBlockTable value="{!RequestList}" var="objConfig">
<apex:column title="{!objConfig.Name}~Click to Edit" styleClass="NameClass" width="600px" value="{!objConfig.Name}"/> .
</apex:pageBlockTable>
I haven't seen the XSS scanner hit in use cases like this before, but I always shy away from potentially reserved keywords like "variable", "system" or "config" just to be safe.
Saurabh Kulkarni 34Saurabh Kulkarni 34
Cool.. Good to know that. Thanks Andy.

I'll try doing that as well.

Thanks!
Saurabh Kulkarni 34Saurabh Kulkarni 34
But I believe the XSS error is for something else.. could you figure out what is that??
Andy BoettcherAndy Boettcher
Like I said above - I haven't seen the XSS scanner hit an apex:column before...when you got the scanner results back, it should have given you some examples and line numbers.  Are you sure it's pointing here?