You need to sign in to do that
Don't have an account?
Ranjith Dev
CSRF Issue - code security review
Hi,
Need to resolve the XSRF issues from Code security review report of Product
When i preview the vf page i got the below error (In the page call only the controller and action)
"The link you followed isn’t valid. This page requires a CSRF confirmation token. Report this error to your Salesforce administrator."
Case 1.
when disable this checkbox for Vf page (Require CSRF protection on GET requests) - the error is not getting. But when i pull the report from Salesforce checkmarx i got the XSRF errors.
Case2:
or we can achive through the possible to disable the 'Cross-Site Request Forgery (CSRF) Protection'
Security controls -->session settings-->'Cross-Site Request Forgery (CSRF) Protection'
Please help
Need to resolve the XSRF issues from Code security review report of Product
When i preview the vf page i got the below error (In the page call only the controller and action)
"The link you followed isn’t valid. This page requires a CSRF confirmation token. Report this error to your Salesforce administrator."
Case 1.
when disable this checkbox for Vf page (Require CSRF protection on GET requests) - the error is not getting. But when i pull the report from Salesforce checkmarx i got the XSRF errors.
Case2:
or we can achive through the possible to disable the 'Cross-Site Request Forgery (CSRF) Protection'
Security controls -->session settings-->'Cross-Site Request Forgery (CSRF) Protection'
Please help
The below blog might answer your query,
https://salesforce.stackexchange.com/questions/166711/the-link-you-followed-isn-t-valid-this-page-requires-a-csrf-confirmation-token
I hope you find the above solution helpful. If it does, please mark as Best Answer to help others too.
Thanks.
I just wanted to know Did you have to write an action attribute in <apex: page> ?
Let me know I will try to resolve that error.
Thanks,
Foram Rana
FYI:
<apex:page controller="CallbackPage" action="{!CallReceipt}">
<apex:form id="frm" >
<apex:pageblock >
</apex:pageblock>
</apex:form>
</apex:page>
Thanks
Ranjith M
use below code :
<apex:page controller="CallbackPage">
<apex:form id="frm" >
<apex:actionFunction action="{!CallReceipt}" name="CallReceiptJs" reRender="abc"/>
<apex:pageblock >
</apex:pageblock>
</apex:form>
<script>
CallReceiptJs();
</script>
</apex:page>
This XSRF issues come across in the Apex classes (Controller).
the issue is starting from here below:
1. Map<string, string> mapincomingvalues=Apexpages.CurrentPage().getParameters();
2. string strDelRcpt= string.escapeSingleQuotes(Apexpages.CurrentPage().getUrl());
Thanks,
Ranjith
ApexPages.CurrentPage().getparameters().get('id');
But I haven't get the error we can use ApexPages.CurrentPage() in class that was not the Issue I guess.
We also got similar issue of CSRF regarding the DML on page load and the security review sent back for fix.
we tried with the solution as shared by you . Can you please confirm if your solution was accepted in the next step of review.
We modified the solution according to our requiremnt. Do you have any idea of this would be accepted in security review.
<apex:page controller="CallbackPage">
<apex:form id="frm" >
<apex:actionFunction action="{!CallReceipt}" name="CallReceiptJs" reRender="abc"/>
<apex:pageblock >
</apex:pageblock>
</apex:form>
or
<apex:form id="frm" >
<apex:pageblock id="pb">
<apex:actionFunction action="{!priorityChanged}" name="pc" reRender="pb" oncomplete="doneCall();" />
<apex:actionFunction action="{!fetchRecords}" name="fr" reRender="pb" >
<apex:param name="data" assignTo="{!initialised}" value=""/>
</apex:actionFunction>
</apex:pageblock>
<script>
window.onload=function()
{
alert('call AF priorityChanged');
pc();
};
</script>
<script>
function doneCall(){
alert('done initialised ');fr();
}
</script>
</apex:form>