• neal.harris
  • 0 Points
  • Member since 2012

  • Chatter
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 0
  • 2

Is anyone having issues with the security scanner at the moment. I understand it's experiencing delays, but there is nothing new there.


Got a report through mentioning a whole load of critical issues because of exposed decimal and boolean values from an sObject in Visualforce. As far as I'm aware - can't see any issue with that!


Got no issues with text fields however, so that proves that the code is secure but the report is seriously wrong.



I have a question about custom labels. If a custom label is defined that contains an XSS attack (say by a disgruntled developer on his way out the door), is there anything beyond what the apex:output* tag provides to prevent the XSS from succeeding? In other words, if Label.bad is set to the string alert('xss'), and in the output is wrapped like


 <apex:outputText escape="false" value="{!Label.bad}">


or is just raw like




will the attack succeed? Is there anything that prevents a malicious user from putting Javascript and/or markup into custom labels in the first place? Any additional data sanitization that occurs before the label is stored?