You need to sign in to do that
Don't have an account?
Abhijit Shrikhande
Issue with Hands-on Challenge - Cross Scripting Vectors
I have identified the following vectors, but I am still blocked from completing the challenge. What am I missing?
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab"> <apex:sectionHeader title="Built-In XSS Protections Challenge" /> <apex:form > <apex:pageBlock > <c:Classic_Error /> <apex:pageMessages /> <apex:pageBlockSection title="Demo" columns="1" id="tableBlock"> <apex:outputText value="{!sampleMergeField1}"/> <!-- Line 9 is vulnerable to XSS: NO --> <apex:outputText value="{!sampleMergeField2}" escape="false"/> <!-- Line 13 is vulnerable to XSS: YES --> <apex:outputText > {!sampleMergeField3} </apex:outputText> <!-- Line 18 is vulnerable to XSS: YES / NO --> <style> .foo { color: #{!sampleMergeField4}; } </style> <!-- Line 25 is vulnerable to XSS: YES --> {!sampleMergeField5} <!-- Line 31 is vulnerable to XSS: NO --> <script> var x = '{!sampleMergeField6}'; </script> <!-- Line 36 is vulnerable to XSS: YES --> <apex:outputLabel value="{!sampleMergeField7}" escape="false"/> <!-- Line 41 is vulnerable to XSS: YES --> </apex:pageBlockSection> <apex:pageBlockSection title="Code links" columns="1"> <apex:outputPanel > <ul> <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li> <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li> </ul> </apex:outputPanel> </apex:pageBlockSection> </apex:pageBlock> </apex:form> </apex:page>
I have specied below only the section where Yes/No is required,
<apex:outputText value="{!sampleMergeField1}"/>
<!-- sampleMergeField1 is vulnerable to XSS: NO -->
<apex:outputText value="{!sampleMergeField2}" escape="false"/>
<!-- sampleMergeField2 is vulnerable to XSS: YES -->
<apex:outputText > {!sampleMergeField3} </apex:outputText>
<!-- sampleMergeField3 is vulnerable to XSS: NO -->
<style>
.foo { color: #{!sampleMergeField4}; }
</style>
<!-- sampleMergeField4 is vulnerable to XSS: YES -->
{!sampleMergeField5}
<!-- sampleMergeField5 is vulnerable to XSS: YES -->
<script> var x = '{!sampleMergeField6}';
</script> <!-- sampleMergeField6 is vulnerable to XSS: YES -->
<apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
<!-- sampleMergeField7 is vulnerable to XSS: YES -->
This should help you in getting go thru challenge.
Regards,
Dax