You need to sign in to do that
Don't have an account?
Uttpal_Chandra
Stored XSS in wrapper Class
Hi all,
I got a Stored XSS error in the wrapper class method and I am using the wrapper class variable on the VF page in apex:repeat.
Anyone know why it is happening...??
I got a Stored XSS error in the wrapper class method and I am using the wrapper class variable on the VF page in apex:repeat.
Anyone know why it is happening...??
Cross-site scripting(XSS) is a vulnerability that occurs when an attacker can insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page viewed by other users. A malicious script inserted into a page in this manner can hijack the user’s session, submit unauthorized transactions as the user, steal confidential information
Mechanism provided in VF to Overcome this issue
1)Built in Auto Encoding
All merge-fields are always auto HTML encoded provided they
i)do not occur within a or tag
ii)do not occur within an apex tag with the escape='false' attribute
2)Built in VisualForce encoding functions
The platform provides the following VisualForce encoding functions:
JSENCODE -- performs string encoding within a Javascript String context
HTMLENCODE -- encodes all characters with the appropriate HTML character references so as to avoid interpretation of characters as markup.
URLENCODE -- performs URI encoding (% style encoding) within a URL component context
JSINHTMLENCODE -- a convenience method that is equivalent to the composition of HTMLENCODE(JSENCODE(x))
There is a detailed article in below link
https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting
Sample example
The above is vulnerable
Lets see how we use Encode functions to rectify this
<!-- safe -->
The above is safe since we have use HTMLENCODE AND JSENCODE to encode and hence its hard for attacker to inject script or insert iframe
Edit
For your code try like below
Edit 2
Use the String function to wrap the sfiled because JSENCODE only accepts TEXT
if you need any assistanse, Please let me know!!
Kindly mark my solution as the best answer if it helps you.
Thanks
Mukesh
I had already tried JSENCODE & JSINHTMLENCODE both did not work.
See below code