function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Kris CharatonikKris Charatonik 

Pass parameter from javascript to Rerender causes XSS problem

Hi,
I got my apex code scan back with XSS error here:
<apex:page standardController="Lead" tabStyle="MyCompany_Campaign__tab" sidebar="false" extensions="MyCompanyPageExtension" >
So no more details...
The only logic that my page does is the following:
Contains my canvas app that is called like this:
<apex:canvasApp applicationName="MyCompany"  namespacePrefix="MyCompany"  canvasId="MyCompany_Canvas" parameters="{CampaignId:'{!$CurrentPage.parameters.CampaignId}',CampaignName:'{!$CurrentPage.parameters.CampaignName}'}"  />
Gets a leadID from my code (read from salesforce SOQL).
1.I have a publish event in my javascript that passes this LeadID (e.leadid) from my canvas app.
2.I subscribe to said event in visualforce page javascript:
Sfdc.canvas.controller.subscribe({name : 'CallLogic.showLead', onData : function (e) { passStringToController(e.leadid); }} );
3. The passStringToController function uses logic I found here (Salesforce Forums) to display the lead details next to my canvas app so the user can edit them and continue working with my canvas app.
<apex:actionFunction name="passStringToController" action="{!myMethod}" rerender="idToRerender"> 
<apex:param name="p1" value="" assignTo="{!kId}" /> 
​</apex:actionFunction>
<div id="content" >
 <apex:outputPanel id="idToRerender2"> 
 <apex:outputPanel id="idToRerender"> 
  <apex:detail inlineEdit="true" subject="{!kID}" id="DetailSection"  />
 </apex:outputPanel>
 </apex:outputPanel>
</div>
The visualforce page uses my custom page externsion extensions="SomethingPageExtension" and kId just has {get; set;}
public String kId { get; set; }


I assume that the xss error is in the javascript on my visualforce page:
Sfdc.canvas.controller.subscribe({name : 'CallLogic.showLead', 
onData : function (e) { 
passStringToController(e.leadid); }   // <<-------- xss must be this?????? Can i secure it somehow?
} );
Or in the way I call my canvas app with parameters
parameters="{CampaignId:'{!$CurrentPage.parameters.CampaignId}',CampaignName:'{!$CurrentPage.parameters.CampaignName}'}"

What do you guys think?
Can I somehow sanitize the javascript (something like JSENCODE inside the get set or inside the javascript code?
Or maybe i shoud URL or HTMLENCODE the parameters that go to the canvas app? All these values are coming from salesforce, e.leadId is the leadid like: "70136000123Gf3u" the campaign name well that user input but comes from salesforce and my application only saves it and doesn't display it anywhere ( has sql command escapes and all the proper ways of handling user input).

I would appreciate any help, thank you so much for your time.