function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Saurabh Kulkarni 34Saurabh Kulkarni 34 

apexpages.currentpage().getparameters().get('name') XSS error


I have two visualforce pages through which i'm navigating,, during the navigation i'm putting some values in the page2 URL so that i can accesss them in page2.. As show below..
//In page 1 controller 
 public pageReference callPage2()
  PageReference pr = new PageReference('/apex/Page2?name='+value);
  return pr;

// in page2 controller

public page2Controller() 
  String receivedName = apexpages.currentpage().getparameters().get('name');

  xyz__c x = [select id from xyz__c where name=:receivedName];


However, when i submitted the code to salesforce security scanner i'm getting XSS error for this code..
This might be because of the use of page parameters in the SOQL query.
What can be the solution to this?? Is there any way by which I can encode or verify the page parameters for vulnerability in the apex code..

Please help!
Thanks in advance,

String receivedName = apexpages.currentpage().getparameters().get('value');
srlawr uksrlawr uk
Do the two pages use the same standard controller/object type? If they do, what you actually want to do is user

and then the standardController will actually be reused in the second page and you can just access the same record again in your extension (just using controller.getRecord) like you usually do).

If they are different object types between the two pages, I suppose what you have done is the typical way one would approach this, I've only been through the security scanner a couple of times myself.. and I guess I can see why this might be a vunerability (you could pass any URL into page 2 and attempt to load xyz__c records). Do you definitely have "with sharing" on your second controller, to mitigate the effect of this?
Try this 
receivedName  = string.escapesinglequotes(receivedName);

or install managed/umanaged package ESAPI from

receivedName  = ESAPI.encoder().SFDC_HTMLENCODE(receivedName)

after this run security scanner again and let us know