function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
salesforcerrrsalesforcerrr 

JSEncode Lightning Out

Hi,

When using lightning continuation Blogpost the following lines of code are common that present vulnerabilities to XSS

Function in Lightning component JS controller
doInit: function (component, event, helper) {
		var vfBaseURL = "https://" + component.get("v.vfHost");
		// Listen for messages posted by the iframed VF page
		window.addEventListener("message", function (event) {
			if (event.origin !== vfBaseURL) {
				// Not the expected origin: reject message
				return;
			}
			// Only handle messages we are interested in
			if (event.data.topic === "com.mycompany.message") {
				var result = event.data.result;
				var plainText = result.replace(/"/g, '"').replace(/'/g, "'");
				component.set("v.result", plainText);
			}
		}, false);
	},
- window.addEventListener("message", function (event)
--> var result = event.data.result;

Script in Visualforce page: 
<script>
			var lcBaseURL = "https://momentum-efficiency-4004-dev-ed.lightning.force.com";

			// Listen for messages from the Lightning Component
			window.addEventListener("message", function (event) {
				if (event.origin !== lcBaseURL) {
					// Not the expected origin: reject message
					return;
				}
				// Only handle messages we are interested in            
				if (event.data.topic === "com.mycompany.message") {
					var productId = event.data.productId;
					var latency = event.data.latency;
					Visualforce.remoting.Manager.invokeAction('{!$RemoteAction.SimpleContinuationController.getProduct}', productId, latency, function (result) {
						// Send result to Lightning Component
						var message = {
							topic: "com.mycompany.message",
							result: result
						};
						parent.postMessage(message, lcBaseURL);
					});
				}
			}, false);

		</script>

- window.addEventListener("message", function (event)
--> var productId = event.data.productId;
--> var latency = event.data.latency;
--> var message = {
topic: "com.mycompany.message",
result: result
};

Can someone assist on how to use best JSENCODE to secure this? (I have extracted the important lines and copied below the code snippets) Any other recommendations on what might be required?