Apex Code Development You need to sign in to do that
Don't have an account?
JuanBess Unescape HTML caused Security Review issue
I'm looking to rendered a Visualforce Page as a Doc File.
On the content of the document i need to include the html stored in the database (entered by a text area with the standard rich text editor). The problem is that i failed the security review because of this.
Any help or work around to pass the review?
This is where it failed:
50. public FooController() //FooController.cls
...
53. currentId = ApexPages.currentPage().getParameters().get('cId');
1. <!-- //Foo.page
...
412. <div><apex:outputText escape="false" value="{!fooObj.richText__c}"/></div>
I also tried to wrap my object with an inner class to avoid mapping directly the stored field, but without luck....
Thanks in advance,
J.
Well in case I am understanding your question correctly your given code snippet failed the security review of salesforce.
If that is the case you can do eactly what I did in my code, I am attaching the snippet below:-
var strObj1Id="{!SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(Object1Id, '&','&'), '>','>'), '<','<'),'\'','''),'"','"')}";//To Prevent XSS attack added on 08/06/2009.
var arrSelectedObj2 = {!SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(GETRECORDIDS($ObjectType.Object2 ), '&','&'), '>','>'), '<','<'),'\'','''),'"','"')};//To Prevent XSS attack added on 08/06/2009.
This is what I had done to make my code acceptable from security stand-point.
This was done in javascript snippet, but it will be a pointer nevertheless.
Did this answer your question? If not, let me know what didn't work, or if so, please mark it solved.