• S Wittenstein
  • NEWBIE
  • 10 Points
  • Member since 2020
  • CGI


  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 1
    Questions
  • 1
    Replies

I am attempting to complete Prevent XSS in Lightning Platform Applications.

The only feedback the challenge provides is: "It doesn't appear that you've fixed all of the merge fields to prevent cross-site scripting vectors. Please check your code again.".

This feedback is provided even if I delete all the code. I've provided what I think is the correct answer, but no dice. 

Can someone tell me what I've got wrong? I've spent more than 2 hours on this 45 minute exercise.

Code as follows:

<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
                        
            <apex:outputText value="{!sampleMergeField1}"/>
            <!--apex:outputText value="{!sampleMergeField1}"/-->
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
            <!--apex:outputText value="{!sampleMergeField2}" escape="false"/-->
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!--apex:outputText >
                {!sampleMergeField3}
            </apex:outputText-->
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <script>
                document.write('{!JSENCODE(sampleMergeField4)}');
            </script>
            <!--style>
                document.write('{!JSENCODE(sampleMergeField4)}');
            </style-->
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->

             
            
            {!JSINHTMLENCODE(sampleMergeField5)}
            <!--{!sampleMergeField5}-->
            <!-- sampleMergeField5 is vulnerable to XSS: YES -->
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            <!--script>
                var x = '{!sampleMergeField6}';
            </script-->
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            <apex:outputLabel value="{!JSINHTMLENCODE(sampleMergeField7)}" escape="false"/>
            <!--apex:outputLabel value="{!sampleMergeField7}" escape="false"/-->
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->      


        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>

I am attempting to complete Prevent XSS in Lightning Platform Applications.

The only feedback the challenge provides is: "It doesn't appear that you've fixed all of the merge fields to prevent cross-site scripting vectors. Please check your code again.".

This feedback is provided even if I delete all the code. I've provided what I think is the correct answer, but no dice. 

Can someone tell me what I've got wrong? I've spent more than 2 hours on this 45 minute exercise.

Code as follows:

<apex:page controller="XSS_Mitigations_Challenge" sidebar="false" tabStyle="XSS_Mitigations_Challenge__tab">
<apex:sectionHeader title="XSS Mitigations Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
            <c:codeLink type="Visualforce" namespace="" edit="true" name="XSS_Mitigations_Challenge" description="Edit this Visualforce page to perform the challenge."/>
                        
            <apex:outputText value="{!sampleMergeField1}"/>
            <!--apex:outputText value="{!sampleMergeField1}"/-->
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
            <!--apex:outputText value="{!sampleMergeField2}" escape="false"/-->
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!--apex:outputText >
                {!sampleMergeField3}
            </apex:outputText-->
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <script>
                document.write('{!JSENCODE(sampleMergeField4)}');
            </script>
            <!--style>
                document.write('{!JSENCODE(sampleMergeField4)}');
            </style-->
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->

             
            
            {!JSINHTMLENCODE(sampleMergeField5)}
            <!--{!sampleMergeField5}-->
            <!-- sampleMergeField5 is vulnerable to XSS: YES -->
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            <!--script>
                var x = '{!sampleMergeField6}';
            </script-->
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            <apex:outputLabel value="{!JSINHTMLENCODE(sampleMergeField7)}" escape="false"/>
            <!--apex:outputLabel value="{!sampleMergeField7}" escape="false"/-->
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->      


        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="XSS_Mitigations_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>