function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Hema SudeepaHema Sudeepa 

Cross site Scripting (XSS) attack

Hi All,

I'm getting Cross site Scripting (XSS) attack for the line strIdeaId = ApexPages.currentPage().getParameters().get('id'); Below is my code snippet. Please suggest me how to overcome this problem.
public  with sharing class TestController {
     String strIdeaId;
}
 public TestController () {
  strIdeaId = ApexPages.currentPage().getParameters().get('id');
}

sharathchandra thukkanisharathchandra thukkani
How you came to know at that line you are facing? how you can check, in developer tools?
AshlekhAshlekh
Hi,

Here is a documention over this topic 
https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_xss.htm
https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting

-Thanks
Ashlekh Gera
VinodKRVinodKR
Hi Hema,

Try this:

String sValue = ApexPages.currentPage().getParameters().get('id');
// the next line encodes the usertext similar to the VisualForce HTMLENCODE function but within an Apex class.
sValue = ESAPI.encoder().SFDC_HTMLENCODE(sValue);


Thanks,

Have a great day ahead,Let the Force be with you!
Please mark this as best answer if it helps you.
 
Hema SudeepaHema Sudeepa

Hi ,

Thanks for your response

@Vinod I'm using the String in page side and I have used encoded method in page. It worked for me.

Thanks