Sign Up ›
  • Anurag Jain 73
  • NEWBIE
  • 5 Points
  • Member since 2020
  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 0
    Questions
  • 1
    Replies
SOLVED
11 replies

Built-in XSS Protection unit challenge keeps failing when trying to Check

Hi,

I'm currently working with the "Discover Built-in XSS Protections in Force.com" Unit of Developer Advanced Trail. The point of the challenge is to edit the comments below each use of "{!sampleMergeField1}" to determine if is vulnerable to XSS. 

Based on the criteria found within the unit and in the guidelines in the Secure Coding Cross Site Scripting page for Built in Auto Encoding (All merge-fields are always auto HTML encoded provided they: do not occur within a <style> or <script> tag, AND do not occur within an apex tag with the escape='false' attribute) I came up with the following answers: 
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS: NO -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>

But everytime y check the challenge, the same message is displayed:

User-added image

I already checked that I am pointing to the right playground. 

If you can check it and help find where I am going wrong I would be thankful.

Thanks