I have recently performed a Cross-site scripting (XSS) security test in a customer portal and I have received a concerning issue regarding picklists. The results are:

The following changes were applied to the original request:

- Set the value of the parameter 'formName:dropDown' to
'%3E%22%27%3E%3Cscript%3Ealert%2876%29%3C%2Fscript%3E'

Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform transactions as that user

The code for generating the dropdown is:

<apex:selectList id="dropDown" value="{!recordName}" size="1" >
    <apex:selectOptions value="{!listOptions}" />
</apex:selectList>

I have tried to manually modify the value ot the picklist options in the HTML generated and I have not been able to submit them.

My doubts are: Can the dropdown values actually be tampered? Should I check that the submitted values correspond to the available options?

Do not hesitate in contact me for any related queries.

Thanks!

HI,

Anyone knwon compact layout in salesforce. How to use this layout? and what are the steps to create?

I known this layout used in mobile devices but i dn't know seeing difference on mobile devices.

Please any one tell me and any one have demo.