+ Start a Discussion
Ranjith DevRanjith Dev 

CSRF Issue - code security review

Hi,
Need to resolve the XSRF  issues from Code security review report of Product

When i preview the vf page i got the below error (In the page call only the controller and action)
"The link you followed isn’t valid. This page requires a CSRF confirmation token. Report this error to your Salesforce administrator."
Case 1.
when disable this checkbox for Vf page (Require CSRF protection on GET requests) - the error is not getting. But when i pull the report from Salesforce checkmarx i got the XSRF errors.

Case2:
or we can achive through the possible to disable the 'Cross-Site Request Forgery (CSRF) Protection'
Security controls -->session settings-->'Cross-Site Request Forgery (CSRF) Protection'

Please help
AbhishekAbhishek (Salesforce Developers) 
Hi Ranjith,

The below blog might answer your query,

https://salesforce.stackexchange.com/questions/166711/the-link-you-followed-isn-t-valid-this-page-requires-a-csrf-confirmation-token

I hope you find the above solution helpful. If it does, please mark as Best Answer to help others too.

Thanks.
Foram Rana RForam Rana R
Hi Ranjith,

I just wanted to know Did you have to write an action attribute in  <apex: page> ?
Let me know I will try to resolve that error.

Thanks,
Foram Rana
Ranjith DevRanjith Dev
Yes, Rana. i have written the page like this.
FYI:
<apex:page controller="CallbackPage"  action="{!CallReceipt}">
    <apex:form id="frm" >
      <apex:pageblock >
      </apex:pageblock>
  </apex:form>
</apex:page>

Thanks
Ranjith M
Foram Rana RForam Rana R
That why you got this error, remove the action attribute.

use below code : 

<apex:page controller="CallbackPage">
    <apex:form id="frm" >
    <apex:actionFunction action="{!CallReceipt}" name="CallReceiptJs" reRender="abc"/>
      <apex:pageblock >
      </apex:pageblock>
  </apex:form>
  
  <script>
    CallReceiptJs();
    </script> 
    
</apex:page>
Ranjith DevRanjith Dev
Earlier i had tried this scenario and generate the report from Salesforce checkmarx and got some XSRF issues.

This XSRF issues come across in the Apex classes (Controller).
the issue is starting from here below:
1. Map<string, string> mapincomingvalues=Apexpages.CurrentPage().getParameters();
2. string strDelRcpt= string.escapeSingleQuotes(Apexpages.CurrentPage().getUrl());

Thanks,
Ranjith
 
Foram Rana RForam Rana R
Even I have  Use the same :
ApexPages.CurrentPage().getparameters().get('id');
But I haven't get the error we can use ApexPages.CurrentPage() in class that was not the Issue I guess.
 
Gaurang Deshpande 18Gaurang Deshpande 18
Hi Rana, 

We also got similar issue of CSRF regarding the DML on page load and  the security review sent back for fix.
we tried with the solution as shared by you  . Can you please confirm if your solution was accepted in the next step of review.

We modified the solution according to our requiremnt. Do you have any idea of this would  be accepted in security review.


<apex:page controller="CallbackPage">
    <apex:form id="frm" >
    <apex:actionFunction action="{!CallReceipt}" name="CallReceiptJs" reRender="abc"/>
      <apex:pageblock >
      </apex:pageblock>
  </apex:form>
  
or 
<apex:form id="frm" >
<apex:pageblock id="pb">
<apex:actionFunction action="{!priorityChanged}" name="pc" reRender="pb" oncomplete="doneCall();" />
<apex:actionFunction action="{!fetchRecords}" name="fr" reRender="pb" >
<apex:param name="data" assignTo="{!initialised}" value=""/>
</apex:actionFunction>
</apex:pageblock>
<script>

window.onload=function()
{
alert('call AF priorityChanged');
pc();
};

</script>

<script>
function doneCall(){
alert('done initialised ');fr();
}

</script>
</apex:form>