Is anyone having issues with the security scanner at the moment. I understand it's experiencing delays, but there is nothing new there.
Got a report through mentioning a whole load of critical issues because of exposed decimal and boolean values from an sObject in Visualforce. As far as I'm aware - can't see any issue with that!
Got no issues with text fields however, so that proves that the code is secure but the report is seriously wrong.
I have a question about custom labels. If a custom label is defined that contains an XSS attack (say by a disgruntled developer on his way out the door), is there anything beyond what the apex:output* tag provides to prevent the XSS from succeeding? In other words, if Label.bad is set to the string alert('xss'), and in the output is wrapped like
will the attack succeed? Is there anything that prevents a malicious user from putting Javascript and/or markup into custom labels in the first place? Any additional data sanitization that occurs before the label is stored?
