Sign Up ›
  • Michael Sobczak 22
  • NEWBIE
  • 65 Points
  • Member since 2020
  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 2
    Likes Given
  • 0
    Questions
  • 1
    Replies
SOLVED
11 replies

Built-in XSS Protection unit challenge keeps failing when trying to Check

Hi,

I'm currently working with the "Discover Built-in XSS Protections in Force.com" Unit of Developer Advanced Trail. The point of the challenge is to edit the comments below each use of "{!sampleMergeField1}" to determine if is vulnerable to XSS. 

Based on the criteria found within the unit and in the guidelines in the Secure Coding Cross Site Scripting page for Built in Auto Encoding (All merge-fields are always auto HTML encoded provided they: do not occur within a <style> or <script> tag, AND do not occur within an apex tag with the escape='false' attribute) I came up with the following answers: 
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS: NO -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>

But everytime y check the challenge, the same message is displayed:

User-added image

I already checked that I am pointing to the right playground. 

If you can check it and help find where I am going wrong I would be thankful.

Thanks


 
SOLVED
11 replies

Built-in XSS Protection unit challenge keeps failing when trying to Check

Hi,

I'm currently working with the "Discover Built-in XSS Protections in Force.com" Unit of Developer Advanced Trail. The point of the challenge is to edit the comments below each use of "{!sampleMergeField1}" to determine if is vulnerable to XSS. 

Based on the criteria found within the unit and in the guidelines in the Secure Coding Cross Site Scripting page for Built in Auto Encoding (All merge-fields are always auto HTML encoded provided they: do not occur within a <style> or <script> tag, AND do not occur within an apex tag with the escape='false' attribute) I came up with the following answers: 
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS: NO -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>

But everytime y check the challenge, the same message is displayed:

User-added image

I already checked that I am pointing to the right playground. 

If you can check it and help find where I am going wrong I would be thankful.

Thanks


 
SOLVED
21 replies

Date Format In Visualforce page

Hi Friends,

I need some accurate solution in date format, i think it's easy to salesforce developer . but i am new to salesforce .

I dispalyed  the date format like below 

 <apex:outputtext value="{0, date, medium}">
        <apex:param value="{!Inspection_Sheet__c.Date__c}"></apex:param>
    </apex:outputtext>

Output Is : Oct 21,2016

But I need a output like this --> 21st Oct 2016

Can Anyone help to me ASAP. 

I will be appreciate if you are come with the best solution .

Many Thanks In advance !!

Regards ,

SOUNDAR ,

+91-7418425418.