function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
souvik9086souvik9086 

Avoid Cross-site Scripting (XSS) using <apex:outputtext escape=false>

How to avoid Cross-site Scripting (XSS) using 

<apex:outputtext value="{!gadgetHTMLContent}" escape="false"/>

.. In the above outputtext gadgetHtmlContent is always a HTML CONTENT for e.g <div id="Test"></div>. Like this. For displaying html content we have to use escape="false". But whenever we are trying to write escape="false", an error is coming about  Cross-site Scripting (XSS) attacks. How can we avoid this attack by using escape="false".

                                     Please reply anyone who has any idea about this as soon as possible. It is very urgent.

                                                                                                                                                                                                   Thanks Souvik.

Best Answer chosen by Admin (Salesforce Developers) 
DipakDipak

To avoid XSS for <apex:outputtext value ="gadgetCOntent"escape=false>, use 
<apex:dynamicComponent componentValue="{!gadgetHTMLContent}"/>

& the variable "gadgetHTMLContent" should be of type  "Component.Apex.OutputText"

Sample Code which may help you
----------------------------------------------
Apex Controller method to return the HTML result to print at VF page:

public Component.Apex.OutputText getGadgetHTMLContent(){
           Component.Apex.OutputText oppText = new Component.Apex.OutputText(escape = false);
           oppText.value = gadgetContent;       //gadgetcontent is the variable which holds the HTML content
           return oppText ;
}

Now Use the getXXX Method at VF page:

 

<apex:outputPanel rendered="{!gadgetHTMLContent!= null}" layout="none">

          <apex:dynamicComponent componentValue="{!gadgetHTMLContent}"/>
</apex:outputpanel>

 

 

All Answers

mast0rmast0r

Try to use the ENCODE functions:

 

<apex:outputtext value="{!HTMLENCODE(gadgetHTMLContent)}" escape="false"/>

 

More about encoding functions here: http://www.salesforce.com/us/developer/docs/pages/Content/pages_variables_functions.htm
DipakDipak

To avoid XSS for <apex:outputtext value ="gadgetCOntent"escape=false>, use 
<apex:dynamicComponent componentValue="{!gadgetHTMLContent}"/>

& the variable "gadgetHTMLContent" should be of type  "Component.Apex.OutputText"

Sample Code which may help you
----------------------------------------------
Apex Controller method to return the HTML result to print at VF page:

public Component.Apex.OutputText getGadgetHTMLContent(){
           Component.Apex.OutputText oppText = new Component.Apex.OutputText(escape = false);
           oppText.value = gadgetContent;       //gadgetcontent is the variable which holds the HTML content
           return oppText ;
}

Now Use the getXXX Method at VF page:

 

<apex:outputPanel rendered="{!gadgetHTMLContent!= null}" layout="none">

          <apex:dynamicComponent componentValue="{!gadgetHTMLContent}"/>
</apex:outputpanel>

 

 

This was selected as the best answer
Mitesh SuraMitesh Sura
Dipak,

Any way I get that output as tooltip? I need to show HTML table on mouse hover, this table will be built in the controller.

Thanks.
Amol SableAmol Sable
Dipak thanks , its helpfull..