+ Start a Discussion
Anuj Joshi 42Anuj Joshi 42 

Does outputText prevents XSS?

Hi all,

I am writing escape=false in my VF Page. like this.
<apex:outputText escape="false"  value="{!cr.Message__c}" rendered="{!(cr.Message__c)!= ''}"/><br/><br/>

The Mesage__c is a custom field in the object with is of type Rich Text Area. This issue is coming up in my checkmarx report. In the document I have checked using Rich text area eliminated XSS vulnerabilty. How do I solve this? I have tried all possible solutions like JSENCODE, HTMLENCODE etc.