function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Pratik Raut 14Pratik Raut 14 

Client Potential XSS error - Checkmarx

Hi All,
In the code scanning, I am facing the Client Potential XSS issue.
Scan Result:
User-added image
Can anyone please provide me any solution on this?

Thanks,
Pratik
@Amit Kumar Giri@Amit Kumar Giri
Pratik- There are whole bunch of stuffs need to be check in the clauseDeleteConfirm function. Check this and mostly u need --
1. Wrap ur variable with HTMLENCODE AND JSENCODE to encode and hence its hard for attacker to inject script or insert iframe . Like example below 
<div onclick="this.innerHTML='Howdy {!JSENCODE(HTMLENCODE(Account.Name))}'">Click me!</div>
2. I see u used \' ? in code. Thats u need to escape 
Check this. This will give u all possible XSS attach and help u to use
https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
 
Pratik Raut 14Pratik Raut 14
Hello Amit,

If I wrap o.value variable with JSENCODE(HTMLENCODE()) i.e {!JSENCODE(HTMLENCODE(o[0].value))}, then it gives an error:
Unknown property 'Subcontract__cStandardController.o'

Can you please suggest anything on this?