function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
miku1051miku1051 

Cross-site Scripting (XSS) in security review.?

I am getting Cross-site Scripting (XSS) while scanning in force.com scanner.if i remove javascript there is no error..what to change in javascript code..please help its quite urgent...may be encode something...

Class

 accid=ApexPages.currentPage().getParameters().get('accid');
    public meetingCtlr1(ApexPages.StandardController controller) 
    {
      conRecList=[Select id,name,email from contact where Accountid=:accid];
    }

conRecList on VF page

I have used this in javascript on VF page
<script>
    for(var i=0;i<{!conRecList.size};i++)
    var id='thePage:theform:thePB:conTable:'+i+':'+checkboxid;
    document.getElementById(id).checked=bool; 
</script>  
sfdcfoxsfdcfox
May be a red herring, but your code has at least one problem... the loop needs braces to be correct. The scope of id is in the loop, but the assignment of the check box is outside the loop. Try fixing the code. You may need to use jsencode to satisfy the scanner, but this is unnecessary for a successful review.
miku1051miku1051

braces aren't a issue..i missed it while copy pasting..

 

{!JSINHTMLENCODE(conRecList.size)} gives me error...how to satisfy this condition that will satisfy the scanner :
Incorrect argument type for function 'JSINHTMLENCODE()'

 

Can you have a look what i have done wrong...as conReclist.Size always returns an integer..how to encode it...

please help..!!!

Bhawani SharmaBhawani Sharma
Create a public variable to hold list size and use it in javascript with
{!JSENCODE(listSize)}
miku1051miku1051

thanks for replying...but still its not working...

 

var listSize={!conRecList.size};
  function checkVisitor(bool, checkboxid)
     {
        for(var i=0;i<listSize;i++)
        {
          var id='thePage:theform:thePB:conTable:'+i+':'+checkboxid;
          document.getElementById(id).checked=bool;   
        }
     }

 if i use for(var i=0;i<JSENCODE(listSize);i++)

 

code is saving with no errors but functionality is not working...can you suggest...

AmitdAmitd

Hi Miku,

 

Please use this code. Hope this will work for you.

 

 

var listSize=escape({!conRecList.size});
  function checkVisitor(bool, checkboxid)
     {
        for(var i=0;i<listSize;i++)
        {
          var id='thePage:theform:thePB:conTable:'+i+':'+checkboxid;
          document.getElementById(id).checked=bool;   
        }
     }

 

 

Please mark this as soluiont if it helps you.

 

 

KUDOS

 

 

Salesforce Developer, Salesforce Administrator

Bhawani SharmaBhawani Sharma
initialize listSize in your controller class and use it on page