Hi,
I got my apex code scan back with XSS error here:

<apex:page standardController="Lead" tabStyle="MyCompany_Campaign__tab" sidebar="false" extensions="MyCompanyPageExtension" >

So no more details...
The only logic that my page does is the following:
Contains my canvas app that is called like this:

<apex:canvasApp applicationName="MyCompany"  namespacePrefix="MyCompany"  canvasId="MyCompany_Canvas" parameters="{CampaignId:'{!$CurrentPage.parameters.CampaignId}',CampaignName:'{!$CurrentPage.parameters.CampaignName}'}"  />

Gets a leadID from my code (read from salesforce SOQL).
1.I have a publish event in my javascript that passes this LeadID (e.leadid) from my canvas app.
2.I subscribe to said event in visualforce page javascript:

Sfdc.canvas.controller.subscribe({name : 'CallLogic.showLead', onData : function (e) { passStringToController(e.leadid); }} );

3. The passStringToController function uses logic I found here (Salesforce Forums) to display the lead details next to my canvas app so the user can edit them and continue working with my canvas app.

<apex:actionFunction name="passStringToController" action="{!myMethod}" rerender="idToRerender"> 
<apex:param name="p1" value="" assignTo="{!kId}" /> 
​</apex:actionFunction>

<div id="content" >
 <apex:outputPanel id="idToRerender2"> 
 <apex:outputPanel id="idToRerender"> 
  <apex:detail inlineEdit="true" subject="{!kID}" id="DetailSection"  />
 </apex:outputPanel>
 </apex:outputPanel>
</div>

The visualforce page uses my custom page externsion extensions="SomethingPageExtension" and kId just has {get; set;}

public String kId { get; set; }

I assume that the xss error is in the javascript on my visualforce page:

Sfdc.canvas.controller.subscribe({name : 'CallLogic.showLead', 
onData : function (e) { 
passStringToController(e.leadid); }   // <<-------- xss must be this?????? Can i secure it somehow?
} );

Or in the way I call my canvas app with parameters

parameters="{CampaignId:'{!$CurrentPage.parameters.CampaignId}',CampaignName:'{!$CurrentPage.parameters.CampaignName}'}"

What do you guys think?
Can I somehow sanitize the javascript (something like JSENCODE inside the get set or inside the javascript code?
Or maybe i shoud URL or HTMLENCODE the parameters that go to the canvas app? All these values are coming from salesforce, e.leadId is the leadid like: "70136000123Gf3u" the campaign name well that user input but comes from salesforce and my application only saves it and doesn't display it anywhere ( has sql command escapes and all the proper ways of handling user input).

I would appreciate any help, thank you so much for your time.







 

Hi,
I have an application running in Canvas that uses something.com as the Canvas App URL.
For legal reasons based on user input I have to redirect to a different server like
a.something.com
b.comething.com
or continue on
something.com

The problem is that when I redirect inside my app the redirect from canvas always pops up (navigates away from salesforce.com to a.something.com or b.something.com).

The only solution i see now is to create 2 more visualforce pages that contain one canvas app ( each that has these addresses in the callback.
This way via the visualforce javascript proxy I redirect to the page that has Canvas app A or Canvas app B  and the user may continue working inside the canvas app at everything looks natural (even though there is a redirect and canvas app loading its all looks the same (same tab same layout etc)).

This solution has:
1 App
Something - contains tabs that contain the canvas app pointing to something.com as well as other tabs and static pages (I would like to show only this in the app selection dropdown)

3 Connected Apps
Canvas app Something - canvas app pointing to something.com
Canvas app A_Something - canvas app pointing to a.something.com
Canvas app B_Something - canvas app pointing to b.something.com

But its unintuituve for the user that they see 3 apps in the upper right corner app selection dropdown.

Questions:
1. Is there a way to use different servers in one Canvas app so I can redirect in the same canvas app to different domains?
2. Of not is there a way to hide the Canvas app A_Something and Canvas app B_Something from showing in the app selection?

I spent about 12 hours looking for the solution :(