+ Start a Discussion
ArpiArpi 

XSS error in google maps javascript

Hello All,

I have a visualforce page that displays the google maps correctly for all accounts but I submitted for security review online and it give me errors on the bold lines(below in code)

 

The error from report

Query Name - Stored_XSS
Severity - Critical
5. public List<Account> getlistacc() //displaylocationmap.cls
       
...
7. accounts=[SELECT id,BillingStreet,BillingCity,BillingPostalCode,BillingCountry,name From Account where
BillingStreet <>NULL and BillingPostalCode<>NULL];
...
10. return accounts;
79. arraddress[i]='!a.BillingStreet}!a.BillingCity}!a.BillingPostalCode}!a.BillingCountry}'; //locationschool.page

 

 

My code-----

<apex:page controller="DisplayLocationMap" showHeader="false" sidebar="false" standardStylesheets="false">
<apex:include pageName="BannerTemplate"/>
<html >
<head>

<script type="text/javascript" src="https://maps.google.com/maps/api/js?sensor=false"></script>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js"></script>
<script type="text/javascript">
var arraddress= new Array();
var arrids= new Array();
var content=new Array();
var arrnames= new Array();
var i=0;
var map;
var geocoder;
function initialize() {
var mapDiv = document.getElementById('map-canvas');

map = new google.maps.Map(mapDiv, {
zoom: 5,
mapTypeId: google.maps.MapTypeId.ROADMAP
});
google.maps.event.addListenerOnce(map, 'idle', addMarkers);
}

function addMarkers() {
for (var i = 0; i < arraddress.length; i++) {
content[i] = '<b><i>'+arrnames[i]+' </i></b><br/>'+' '+arraddress[i];
var latlng = geocodeAddress(arraddress[i],arrids[i],content[i]);
}
}
function geocodeAddress(addds,id,content)
{
geocoder = new google.maps.Geocoder();
geocoder.geocode( { 'address': addds}, function(results, status) {
if (status == google.maps.GeocoderStatus.OK) {
map.setCenter(results[0].geometry.location);
var marker = new google.maps.Marker({
map: map,
position: results[0].geometry.location
});
var infowindow = new google.maps.InfoWindow({
content: content
});
google.maps.event.addListener(marker, 'mouseover', function() {
infowindow.open(map,this);
});
google.maps.event.addListener(marker, 'mouseout', function() {
infowindow.close();
});
google.maps.event.addListener(marker, 'click', function() {
window.open('/'+id);
});
}
else {
alert("Geocode was not successful for the following reason: " + status);
}
});
}

google.maps.event.addDomListener(window, 'load', initialize);
</script>
<style>
#map-canvas {
font-family: Arial;
font-size:12px;
line-height:normal !important;
height:750px;
background:transparent;
}
</style>


</head>
<body>
<div id="map-canvas"></div>
<apex:repeat value="{!listacc}" var="a">
<script>
arraddress[i]="{!a.BillingStreet},{!a.BillingCity},{!a.BillingPostalCode}{!a.BillingCountry}"; //ERROR ON THESE BOLD 
arrids[i]="{!a.id}"; //LINES
arrnames[i]="{!a.name}";
i++;
</script>
</apex:repeat>
</body>
</html>
</apex:page>

 

 

Controller

public List<Account> accounts=new List<Account>();

public List<Account> getlistacc()
    {
       accounts=[SELECT id,BillingStreet,BillingCity,BillingPostalCode,BillingCountry,name From Account where BillingStreet <>NULL and BillingPostalCode<>NULL];
       return accounts;
    }

}