function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
vagishvagish 

How to resolve below XSS issues-

Object: select in file: classes\OpportunitySync.cls
L 412: tempOpp = [select Id, AccountId, Name, Description, StageName from Opportunity where Id =: opportunityId];

Object: tempopp in file: classes\OpportunitySync.cls
L 412: tempOpp = [select Id, AccountId, Name, Description, StageName from Opportunity where Id =: opportunityId];

Object: opportunitysync in file: pages\Opportunity_Sync.page
L 77: <apex:outputText value="{!syncDS.syncError}" escape="false"/>

Object: opportunitysync____46 in file: pages\Opportunity_Sync.page
L 77: <apex:outputText value="{!syncDS.syncError}" escape="false"/>

Object: opportunitysync____46 in file: pages\Opportunity_Sync.page
L 77: <apex:outputText value="{!syncDS.syncError}" escape="false"/>

Object: getsyncdslist45 in file: pages\Opportunity_Sync.page
L 77: <apex:outputText value="{!syncDS.syncError}" escape="false"/>

Object: getsyncdslist45 in file: pages\Opportunity_Sync.page
L 77: <apex:outputText value="{!syncDS.syncError}" escape="false"/>

Object: syncdslist in file: classes\OpportunitySync.cls
L 483: return syncDSList;

First two made sense and i should change that to dynamic query. However, i am not sure what fix is expected for rest of them. Can anyone make point fix comment to figure out atleast any of them (except initial two) ?
Naval Sharma4Naval Sharma4
Hi Vagish,

For first two use escapeSingleQuotes method.
String strEsc = String.escapeSingleQuotes(opportunityId); //<-- pass through escape method
tempOpp = [select Id, AccountId, Name, Description, StageName from Opportunity where Id =: strEsc];
and for rest of them use HTMLENCODE in value property.
<apex:outputText value="{!HTMLENCODE(syncDS.syncError)}" escape="false"/>

This will help you to avoid XSS issues.

Thanks,
Naval