+ Start a Discussion
ArpiArpi 

page action attribute gives XSRF issue

Hello,

 

I have a vf page with action attribute

 

<apex:page standardController="object1" extensions="class2" recordSetVar="sitem" action="{!sectionStat}">

 

now in my class i have this method which does the DML operation.

 

pulic void sectionStat()

{

...

...

 

try
                    {
                        upsert StatusLists;
                    }
                     catch(DmlException e){System.debug('~~~~~~~~~~~~~EXCEPTION --'+e);}  

 

}

 

Now when I do CheckMax security scanner it gives me XSRF error.

 

Than I tried to call this method from the constructor but I suppose you cannot call a DML operation from a constructor.

 

So I do not know what to do .

 

Please help on how to solve this issue.

Thanks

KyleKyleKyleKyle

Sorry for the late response, just started checking these boards (but maybe this will help somebody in the future)...

 

CSRF / XSRF  will be flagged whenever you perform DML via an action tag because this DML could be performed without the user's knowledge or consent by forcing them to request the URL secretly (a hidden iFrame on another page). Salesforce protects against CSRF during post requests, but the nature of a GET request bypasses this protection.

 

The best practice for avoiding this is to never do a DML change on a get, and thus not in an action tag. Get more details here: http://wiki.developerforce.com/page/Secure_Coding_Cross_Site_Request_Forgery

 

If you think the DML being performed is harmless (like some sort of garbage collection dml) then you need not be concerned, just make note of this if you are submitting for a security review.