You need to sign in to do that
Don't have an account?
Avoid Cross-site Scripting (XSS) using <apex:outputtext escape=false>
How to avoid Cross-site Scripting (XSS) using
<apex:outputtext value="{!gadgetHTMLContent}" escape="false"/>
.. In the above outputtext gadgetHtmlContent is always a HTML CONTENT for e.g <div id="Test"></div>. Like this. For displaying html content we have to use escape="false". But whenever we are trying to write escape="false", an error is coming about Cross-site Scripting (XSS) attacks. How can we avoid this attack by using escape="false".
Please reply anyone who has any idea about this as soon as possible. It is very urgent.
Thanks Souvik.
To avoid XSS for <apex:outputtext value ="gadgetCOntent"escape=false>, use
<apex:dynamicComponent componentValue="{!gadgetHTMLContent}"/>
& the variable "gadgetHTMLContent" should be of type "Component.Apex.OutputText"
Sample Code which may help you
----------------------------------------------
Apex Controller method to return the HTML result to print at VF page:
public Component.Apex.OutputText getGadgetHTMLContent(){
Component.Apex.OutputText oppText = new Component.Apex.OutputText(escape = false);
oppText.value = gadgetContent; //gadgetcontent is the variable which holds the HTML content
return oppText ;
}
Now Use the getXXX Method at VF page:
<apex:outputPanel rendered="{!gadgetHTMLContent!= null}" layout="none">
<apex:dynamicComponent componentValue="{!gadgetHTMLContent}"/>
</apex:outputpanel>
All Answers
Try to use the ENCODE functions:
<apex:outputtext value="{!HTMLENCODE(gadgetHTMLContent)}" escape="false"/>
More about encoding functions here: http://www.salesforce.com/us/developer/docs/pages/Content/pages_variables_functions.htm
To avoid XSS for <apex:outputtext value ="gadgetCOntent"escape=false>, use
<apex:dynamicComponent componentValue="{!gadgetHTMLContent}"/>
& the variable "gadgetHTMLContent" should be of type "Component.Apex.OutputText"
Sample Code which may help you
----------------------------------------------
Apex Controller method to return the HTML result to print at VF page:
public Component.Apex.OutputText getGadgetHTMLContent(){
Component.Apex.OutputText oppText = new Component.Apex.OutputText(escape = false);
oppText.value = gadgetContent; //gadgetcontent is the variable which holds the HTML content
return oppText ;
}
Now Use the getXXX Method at VF page:
<apex:outputPanel rendered="{!gadgetHTMLContent!= null}" layout="none">
<apex:dynamicComponent componentValue="{!gadgetHTMLContent}"/>
</apex:outputpanel>
Any way I get that output as tooltip? I need to show HTML table on mouse hover, this table will be built in the controller.
Thanks.