Apex Code Development You need to sign in to do that
Don't have an account?
kaarthiksankar AD Cross Site Request Forgery when receiving post data
I am posting large data from a html page to one of my VF page which has a custom controller.
In the VF page controller I am receiving the data in a page load method using ApexPages.currentPage().getParameters() and inserting the data in to one of the custom object. Every thing works fine.
But when I posted my instance for CheckMarx security review it shows CSRF error for this page.
Referring to the URL https://developer.salesforce.com/forums/ForumsMain?id=906F0000000997PIAQ I have enabled 'Require CSRF protection on GET requests' for my VF page but still I am getting the same CSRF error from CheckMarx.
The link you followed isn’t valid. This page requires a CSRF confirmation token. Report this error to your Salesforce administrator.
and when posting the data using the html page it works fine as expected. But still checkmarx results with CSRF error for this page.
Please help to solve this issue.
Kaarthik
In the VF page controller I am receiving the data in a page load method using ApexPages.currentPage().getParameters() and inserting the data in to one of the custom object. Every thing works fine.
But when I posted my instance for CheckMarx security review it shows CSRF error for this page.
Referring to the URL https://developer.salesforce.com/forums/ForumsMain?id=906F0000000997PIAQ I have enabled 'Require CSRF protection on GET requests' for my VF page but still I am getting the same CSRF error from CheckMarx.
VF Page:
<apex:page controller="myclass" action ="{!fetch}"></apex:page>
controller:
public class myclass{
public void fetch(){
Map<string,string> objfields = new map<string,string>();
objfields =ApexPages.currentPage().getParameters();
custom1obj__c obj = new custom1obj__c();
//assign the objfields values to obj here
insert obj;
}
}
When I am trying to access the page directly from the URL I am getting the following errorThe link you followed isn’t valid. This page requires a CSRF confirmation token. Report this error to your Salesforce administrator.
and when posting the data using the html page it works fine as expected. But still checkmarx results with CSRF error for this page.
Please help to solve this issue.
Kaarthik
This way the built-in Force.com mechanism to handle CSRF attack won't work as you have by-passed CSRF controls using action method.
Please try to avoid using this action method.