• Spencer Mac
  • NEWBIE
  • 0 Points
  • Member since 2013
  • Park & Prospect

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 3
    Questions
  • 2
    Replies
Hi,

I'm looking to hire a developer for a quick project that involves creating vf pages that allow a user to lookup and select multiple related objects at once.  I have the basic code downloaded from github but I am still learning vf and am having trouble integrating it into my custom objects.  I'm looking to get this done rather quickly, please contact me if you are interested in taking this on and we can discuss costs, etc.
For example, I have 3 custom record types for the "Account" object; I want to create a basic vf page that only displays the existing records for a specific record type.

I recently submitted a package for review throught the security scanner that includes Survey Force from Force Labs.  I got results back that identified potential vulnerabilties with XSS (Cross site scripting) and Frame Spoofing.  Does anyone know if these are false positives?  

 

some of the excerpt of the scanner results:

 

Reviewing For
False
Positives
The following conditions may lead to false positives in the output of the report:
l Under certain conditions user input may pass into an apex:iframe and be incorrectly labeled as a bug. If the
attacker does not control the beginning of the string being passed into the iframe's source, it is not a
vulnerability.
l Validation may be performed on user input in a mechanism that the source code scanner does not recognize.
References  n/a
Path 1:
Query Name - Frame_Spoofing
Severity - Serious
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
Path 2:
Query Name - Frame_Spoofing
Severity - Serious
63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls
...
66. urlType.add(new SelectOption('Email Link w/ Contact Merge',System.Label.LABS_SF_Email_Link_w_Contact_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
Path 3:
Query Name - Frame_Spoofing
Severity - Serious
63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls
...
67. urlType.add(new SelectOption('Email Link w/ Contact & Case
Merge',System.Label.LABS_SF_Email_Link_w_Contact_Case_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component

For example, I have 3 custom record types for the "Account" object; I want to create a basic vf page that only displays the existing records for a specific record type.

I recently submitted a package for review throught the security scanner that includes Survey Force from Force Labs.  I got results back that identified potential vulnerabilties with XSS (Cross site scripting) and Frame Spoofing.  Does anyone know if these are false positives?  

 

some of the excerpt of the scanner results:

 

Reviewing For
False
Positives
The following conditions may lead to false positives in the output of the report:
l Under certain conditions user input may pass into an apex:iframe and be incorrectly labeled as a bug. If the
attacker does not control the beginning of the string being passed into the iframe's source, it is not a
vulnerability.
l Validation may be performed on user input in a mechanism that the source code scanner does not recognize.
References  n/a
Path 1:
Query Name - Frame_Spoofing
Severity - Serious
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
Path 2:
Query Name - Frame_Spoofing
Severity - Serious
63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls
...
66. urlType.add(new SelectOption('Email Link w/ Contact Merge',System.Label.LABS_SF_Email_Link_w_Contact_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
Path 3:
Query Name - Frame_Spoofing
Severity - Serious
63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls
...
67. urlType.add(new SelectOption('Email Link w/ Contact & Case
Merge',System.Label.LABS_SF_Email_Link_w_Contact_Case_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component