You need to sign in to do that
Don't have an account?
Shephali Swarnkar
Got CRUD and XSS Security failure for Managed package
Hi All,
I got little idea of CRUD/FLS Enforcement Vulnerability find the following approach to overcome it.
eg:
1. Do I need To write such code each field of every object Ihave used in my App or is there any other way so that I can rectify it in one go.
2. I am unable to identify what is XSS(crossite scripting) security failure and how to solve such issues in App.
I got little idea of CRUD/FLS Enforcement Vulnerability find the following approach to overcome it.
eg:
<!-- This would normally bypass automatic FLS enforcement for accessibility--> <apex:outputText value="{!contactName}" rendered="{!$ObjectType.Contact.fields.Name.Accessible}" />
public with sharing class LeadDeleteExtension { private Lead l; public LeadDeleteExtension(ApexPages.StandardController ctr) { l = [SELECT Id FROM Lead WHERE Id=:ctr.getRecord().Id]; } public PageReference deleteLead() { // Check if the user has delete access on the Lead object if (!Lead.sObjectType.getDescribe().isDeletable()){ ApexPages.addMessage(new ApexPages.Message(ApexPages.Severity.FATAL, 'Insufficient access')); return null; } delete l; return null; } }Question :
1. Do I need To write such code each field of every object Ihave used in my App or is there any other way so that I can rectify it in one go.
2. I am unable to identify what is XSS(crossite scripting) security failure and how to solve such issues in App.
https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting
Hi Prolay,
I have got Reflected XSS Vulnerabilities for my App.Mentioned lines in report are:
Reproduction steps:
1.Login to the native application
2.Navigate to the respective tab
3.Select user from drop down list,Intercept the request
4.Apply attack value in mention parameter name.
I am unable to find out that where and what needs to be changed.
Note : In the above mentioned page we used to select the user from drop down list and get the details of task assigned to that user.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Upto My understanding i may got this XSS issue because i have used following apex code to get the details of user tasklist:
<apex:pageBlock title="Details" id="block1">
<apex:detail subject="{!$CurrentPage.parameters.UserInput}" relatedList="false"/>
</apex:pageBlock>
But at the same time when i browse this link https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting#Apex_and_Visualforce_Applications
i found
<apex:outputText>
{!$CurrentPage.parameters.userInput} <!-- safe (auto HTML Encoded) -->
</apex:outputText>
Question : If this is not vulnerable to XSS then why did i got this reflected XSS for my App.
Need Help to find out exact vulnerable code and soluttion for that.
Thanks