Hi,

I'm currently working with the "Discover Built-in XSS Protections in Force.com" Unit of Developer Advanced Trail. The point of the challenge is to edit the comments below each use of "{!sampleMergeField1}" to determine if is vulnerable to XSS. 

Based on the criteria found within the unit and in the guidelines in the Secure Coding Cross Site Scripting page for Built in Auto Encoding (All merge-fields are always auto HTML encoded provided they: do not occur within a <style> or <script> tag, AND do not occur within an apex tag with the escape='false' attribute) I came up with the following answers:

<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS: NO -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>

But everytime y check the challenge, the same message is displayed:



I already checked that I am pointing to the right playground. 

If you can check it and help find where I am going wrong I would be thankful.

Thanks


 

Hi,

I'm currently working with the "Discover Built-in XSS Protections in Force.com" Unit of Developer Advanced Trail. The point of the challenge is to edit the comments below each use of "{!sampleMergeField1}" to determine if is vulnerable to XSS. 

Based on the criteria found within the unit and in the guidelines in the Secure Coding Cross Site Scripting page for Built in Auto Encoding (All merge-fields are always auto HTML encoded provided they: do not occur within a <style> or <script> tag, AND do not occur within an apex tag with the escape='false' attribute) I came up with the following answers:

<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS: NO -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>

But everytime y check the challenge, the same message is displayed:



I already checked that I am pointing to the right playground. 

If you can check it and help find where I am going wrong I would be thankful.

Thanks


 

Hi,

I'm currently working with the "Discover Built-in XSS Protections in Force.com" Unit of Developer Advanced Trail. The point of the challenge is to edit the comments below each use of "{!sampleMergeField1}" to determine if is vulnerable to XSS. 

Based on the criteria found within the unit and in the guidelines in the Secure Coding Cross Site Scripting page for Built in Auto Encoding (All merge-fields are always auto HTML encoded provided they: do not occur within a <style> or <script> tag, AND do not occur within an apex tag with the escape='false' attribute) I came up with the following answers:

<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS: NO -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>

But everytime y check the challenge, the same message is displayed:



I already checked that I am pointing to the right playground. 

If you can check it and help find where I am going wrong I would be thankful.

Thanks


 

I get this error: Challenge Not yet complete... here's what's wrong: 
The Suggestion custom object does not contain the correct set of custom fields. Tip: check for typos in the field names.

I've followed all steps, went back and rechecked, and then redid the entire challenge. I can't get it to pass. What am I doing wrong? I have included all custom fields and spelled them correctly.

Hi,

I am trying to create a custom button on a custom object which can only be clicked if a date on the parent oject is filled in.  I am new to SOQL and javascript but have managed to created custom buttons in the past with validation rules which related to the object they are on however I am struggling with cross object rules.

In this instance an Assessment__c can only be submitted if it's parent Referral__c has an accepted date that is not blank.

Any help would be very much apprecitated.

Here is the code so far:

{!REQUIRESCRIPT("/soap/ajax/30.0/connection.js")} 
{!REQUIRESCRIPT("/soap/ajax/24.0/apex.js")}

var ReferraAccepted = "SELECT Accepted_date__c FROM Referral__c WHERE Name = '{!Assessment__c.Referral__c}' LIMIT 1";

if (ReferraAccepted == null){alert ("Please submit the completed referral form to the Clearing House as this form cannot be submitted on it's own.")} 

else {

var newRecords = []; 
var c = new sforce.SObject("Assessment__c"); 
c.id ="{! Assessment__c.Id }"; 
c.Submit_for_assessment__c = true; 
newRecords.push(c); 
result = sforce.connection.update(newRecords); 
window.location.reload();
}
 

I had a bit of trouble finding the solution to my relativley simple problem, set up a bunch of default objects via a static resource instead of using the data loader.

 

This page was useful, it focuses on creating and reading from a csv via apex:inputFile

http://www.forcetree.com/2010/08/read-and-insert-records-from-csv-file.html

 

Turns out you can simply query the static resources and split it all up manually so long as you know the order of the fields in the CSV (my static resource is a straight-up csv, no zip)

 

 

        StaticResource defaultResource = [Select  s.Body From StaticResource s where s.Name LIKE 'resourceName%'];
        blob tempB = defaultResource.Body;
       	String contentFile = tempB.toString();
       	String[] filelines = contentFile.split('\n');
    	List<object_to_Create__c> defaults = new List<object_to_Create__c>();
       	for (Integer i=1;i<filelines.size();i++)
        {
        	object_to_Create__c temp = object_to_Create__c();
                String[] inputvalues = filelines[i].split(',');
        	temp.Field1__c = inputValues[0];
        	temp.Field2__c = inputValues[1];
        	defaults.add(temp);	
        }
        insert defaults;

 I hope this saves some developers time, because i was suprised as to how little i was able to find out there