Apex Code Development You need to sign in to do that
Don't have an account?
Kris Charatonik Pass parameter from javascript to Rerender causes XSS problem
Hi,
I got my apex code scan back with XSS error here:
The only logic that my page does is the following:
Contains my canvas app that is called like this:
1.I have a publish event in my javascript that passes this LeadID (e.leadid) from my canvas app.
2.I subscribe to said event in visualforce page javascript:
I assume that the xss error is in the javascript on my visualforce page:
What do you guys think?
Can I somehow sanitize the javascript (something like JSENCODE inside the get set or inside the javascript code?
Or maybe i shoud URL or HTMLENCODE the parameters that go to the canvas app? All these values are coming from salesforce, e.leadId is the leadid like: "70136000123Gf3u" the campaign name well that user input but comes from salesforce and my application only saves it and doesn't display it anywhere ( has sql command escapes and all the proper ways of handling user input).
I would appreciate any help, thank you so much for your time.
I got my apex code scan back with XSS error here:
<apex:page standardController="Lead" tabStyle="MyCompany_Campaign__tab" sidebar="false" extensions="MyCompanyPageExtension" >So no more details...
The only logic that my page does is the following:
Contains my canvas app that is called like this:
<apex:canvasApp applicationName="MyCompany" namespacePrefix="MyCompany" canvasId="MyCompany_Canvas" parameters="{CampaignId:'{!$CurrentPage.parameters.CampaignId}',CampaignName:'{!$CurrentPage.parameters.CampaignName}'}" />
Gets a leadID from my code (read from salesforce SOQL).1.I have a publish event in my javascript that passes this LeadID (e.leadid) from my canvas app.
2.I subscribe to said event in visualforce page javascript:
Sfdc.canvas.controller.subscribe({name : 'CallLogic.showLead', onData : function (e) { passStringToController(e.leadid); }} );
3. The passStringToController function uses logic I found here (Salesforce Forums) to display the lead details next to my canvas app so the user can edit them and continue working with my canvas app.
<apex:actionFunction name="passStringToController" action="{!myMethod}" rerender="idToRerender">
<apex:param name="p1" value="" assignTo="{!kId}" />
</apex:actionFunction>
<div id="content" >
<apex:outputPanel id="idToRerender2">
<apex:outputPanel id="idToRerender">
<apex:detail inlineEdit="true" subject="{!kID}" id="DetailSection" />
</apex:outputPanel>
</apex:outputPanel>
</div>
The visualforce page uses my custom page externsion extensions="SomethingPageExtension" and kId just has {get; set;}
public String kId { get; set; }
I assume that the xss error is in the javascript on my visualforce page:
Sfdc.canvas.controller.subscribe({name : 'CallLogic.showLead',
onData : function (e) {
passStringToController(e.leadid); } // <<-------- xss must be this?????? Can i secure it somehow?
} );
Or in the way I call my canvas app with parameters
parameters="{CampaignId:'{!$CurrentPage.parameters.CampaignId}',CampaignName:'{!$CurrentPage.parameters.CampaignName}'}"
What do you guys think?
Can I somehow sanitize the javascript (something like JSENCODE inside the get set or inside the javascript code?
Or maybe i shoud URL or HTMLENCODE the parameters that go to the canvas app? All these values are coming from salesforce, e.leadId is the leadid like: "70136000123Gf3u" the campaign name well that user input but comes from salesforce and my application only saves it and doesn't display it anywhere ( has sql command escapes and all the proper ways of handling user input).
I would appreciate any help, thank you so much for your time.