function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Shephali SwarnkarShephali Swarnkar 

Got CRUD and XSS Security failure for Managed package

Hi All,

        I got little idea of CRUD/FLS Enforcement Vulnerability find the following approach to overcome it.

<!-- This would normally bypass automatic FLS enforcement for accessibility-->
<apex:outputText value="{!contactName}" 
             rendered="{!$ObjectType.Contact.fields.Name.Accessible}" />
public with sharing class LeadDeleteExtension {
    private Lead l;
    public LeadDeleteExtension(ApexPages.StandardController ctr) {
      l = [SELECT Id FROM Lead WHERE Id=:ctr.getRecord().Id];
    public PageReference deleteLead() {
      // Check if the user has delete access on the Lead object
      if (!Lead.sObjectType.getDescribe().isDeletable()){
        ApexPages.addMessage(new ApexPages.Message(ApexPages.Severity.FATAL,
                                                    'Insufficient access')); 
        return null;
      delete l;
      return null;

Question :
     1. Do I need To write such code each field of every object Ihave used in my App or is there any other way so that I can rectify it in                 one go.
     2. I am unable to identify what is XSS(crossite scripting) security failure and how to solve such issues in App
Shephali SwarnkarShephali Swarnkar
Thank you Prolay For your quick response.
Shephali SwarnkarShephali Swarnkar

Hi Prolay,    
                   I have got Reflected XSS Vulnerabilities for my App.Mentioned lines in report are:

Reproduction steps:
1.Login to the native application
2.Navigate to the respective tab
3.Select user from drop down list,Intercept the request
4.Apply attack value in mention parameter name.

                           I am unable to find out that where and what needs to be changed.
Note : In the above mentioned page we used to select the user from drop down list and get the details of task assigned to that user.

Upto My understanding i may got this XSS issue because i have used following apex code to get the details of user tasklist:

<apex:pageBlock title="Details" id="block1">
    <apex:detail subject="{!$CurrentPage.parameters.UserInput}" relatedList="false"/>

But at the same time when i browse this link

i found 
  {!$CurrentPage.parameters.userInput} <!-- safe (auto HTML Encoded) -->

Question : If this is not vulnerable to XSS then why did i got this reflected XSS for my App.

Need Help to find out exact vulnerable code and soluttion for that.