Apex Code Development You need to sign in to do that
Don't have an account?
Saurabh Kulkarni 34 apexpages.currentpage().getparameters().get('name') XSS error
Hello,
I have two visualforce pages through which i'm navigating,, during the navigation i'm putting some values in the page2 URL so that i can accesss them in page2.. As show below..
I have two visualforce pages through which i'm navigating,, during the navigation i'm putting some values in the page2 URL so that i can accesss them in page2.. As show below..
//In page 1 controller
public pageReference callPage2()
{
PageReference pr = new PageReference('/apex/Page2?name='+value);
pr.setRedirect(true);
return pr;
}
// in page2 controller
public page2Controller()
{
String receivedName = apexpages.currentpage().getparameters().get('name');
xyz__c x = [select id from xyz__c where name=:receivedName];
}
However, when i submitted the code to salesforce security scanner i'm getting XSS error for this code..
This might be because of the use of page parameters in the SOQL query.
What can be the solution to this?? Is there any way by which I can encode or verify the page parameters for vulnerability in the apex code..
Please help!
Thanks in advance,
Saurabh
String receivedName = apexpages.currentpage().getparameters().get('value');and then the standardController will actually be reused in the second page and you can just access the same record again in your extension (just using controller.getRecord) like you usually do).
If they are different object types between the two pages, I suppose what you have done is the typical way one would approach this, I've only been through the security scanner a couple of times myself.. and I guess I can see why this might be a vunerability (you could pass any URL into page 2 and attempt to load xyz__c records). Do you definitely have "with sharing" on your second controller, to mitigate the effect of this?
receivedName = string.escapesinglequotes(receivedName);
or install managed/umanaged package ESAPI from https://code.google.com/archive/p/force-dot-com-esapi/wikis/GettingStarted.wiki
receivedName = ESAPI.encoder().SFDC_HTMLENCODE(receivedName)
after this run security scanner again and let us know