function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Rakesh ERakesh E 

How to resolve "cross site scripting" security threat for array variables



we are using javascript in our VF page which accesses the value of controller varible using merge fileds as below


var temp = {!itemList};


To avoid XSS problem we want to use it as 


var temp = '{!JSENCODE(itemList)}'


but as the controller variable  "itemList" is of type  List we are getting an error while saving. but for primitive varibles we are not getting any error. 


list declaration in Controller  :


List<string> itemList{get;set}



please can anyone suggest what should be done for arrays.


thank you


It appears that merging a list calls an internal toString that is not officially exposed and therefore can't be used with JSENCODE.


Additionally, I am a bit confused as to why you would want to get an array and assign it to a string (or an array to that matter). Your original example is assigning it as an Array (VF converts the array to an output string representing what would become a JS array with your string as object names, not as string). When you try to use JSENCODE you wrap it with single quotes.


Here is the output of your original example if the array included two strings "abc" and "def":

var temp = [abc, def];


If you are trying to get the array of strings from VF and add them to an array of strings in JS (var temp = ['abc', 'def'];)  you probably want to create your output string in the controller and escape using the ESAPI JSENCODE method, or using VF apex:repeat. In both approaches, you should perform JSENCODE on each item on the array.


var temp = new Array();

<apex:repeat value="{!itemList}" var="item">




I recommend using VF and apex:repeat.


Yoel Gluck

Product Security Team @