function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Praneetha MurakondaPraneetha Murakonda 

Cross Site Scripting issue in <apex:outputText>

Hi All,

I'm fetching the "Body"  value from Idea object , it can be either Text or Image in <apex:outputText > like below       .
<apex:outputText value="{!varObjIdea.objIdea.Body}" escape="false"/>

I'm facing Stored XSS issue in VisualForce Page in  <apex:outputText >

So,I'm trying to use Encoded methods [HTMLENCODE,JSENCODE,JSINHTMLENCODE,URLENCODE] in <apex:outputText> like
<apex:outputText value="{!HTMLENCODE(varObjIdea.objIdea.Body)}" escape="false"/>.

But not able to display Image  on visualforce page. Its is displaying as text format

If any one knows the solution for this problem, Please let me know

Thanks!





 
LakshmanLakshman
A sample code to achieve this:
public class SampleClass {

 public String getImageBody() {
   Blob b = ideasBlob;//retrieve the ideas image blob
   String blobStr = EncodingUtil.Base64Encode(b);
    return blobStr;
}
}

VF page:
<apex:page controller="SampleClass" sidebar="false" showHeader="false" standardStylesheets="false" >
    <head>
        <style>
        body, html { width:100% ;
            height:100% ;
            overflow:hidden ;
        }
        
        iframe { width:100% ;
                height:100% ;
            border:none ;
        }
        </style>
        
    </head>
    <body>
    <iframe src="data:image/jpeg;base64,{!ImageBody}" height="100%"></iframe> 
    </body>
</apex:page>