You need to sign in to do that
Don't have an account?
How to avoid escape atttribute for preventing XSS attack
Hi, i want to avoid XSS attack for the below line of statemnt.
<apex:pageBlock id="Guides" rendered="{!SampleController.isGuides}" >
<apex:dataTable value="{!SampleController.GuDocument}" var="doc" border="0" cellspacing="0" cellpadding="0" columns="1" width="100%">
<apex:column >
<b><apex:outputLink value="{!doc.url}" target="_blank" onfocus="" > {!doc.Header} </apex:outputLink></b>
<br/><br/><apex:outputText value="{!doc.Data}" ></apex:outputText><br/><br/>
</apex:column>
</apex:dataTable>
</apex:pageBlock>
But for the above line marked in red color have escape attribute(escape=false) since im getting that value from a field which is a rich text area.But i want to avoid using escape=false inorder to prevent XSS attack.If I removed the escape attribute it will show the html tag with the text.(eg:.<span style="font-size: 10.0pt; color: blue; "><br><br><br><br></span>)im not able to see any html tags in that fields.How i will avoid to dispaly those html tags and it should not affect the XSS attack.CAn anyone please help out of this
For a rich text area you should be able to use apex:outputField to display the content formatted.
Hi,
Thanks for your reply,i cannot use outputfield since im getting value from controller.is there any way of decodin/encoding html string,