Link Search Menu Expand Document
×
Topics

Cross-Site Scripting in Apex

Play SecureFlag Play Apex Labs on this vulnerability with SecureFlag!

Vulnerable Example

Certain Apex output components contain anti-XSS filters that protect against harmful characters. Using the optional attribute escape="false" will disable this behavior. As an example, the following snippet is vulnerable to XSS attacks.

<apex:outputText escape="false" value="{!$CurrentPage.parameters.userData}" />

HTML code that is directly used in the Apex page is not directly sanitized and can introduce injections in HTML or JavaScript context, such as in the following snippet.

<script>
    document.write('{!$CurrentPage.parameters.userData}');
</script>

Prevention

When possible, wrap untrusted input in elements such as <apex:outputText> without disabling the anti-XSS filter.

<apex:outputText> 
    {!$CurrentPage.parameters.userData} 
</apex:outputText>

Take extra care when using dynamically provided input directly in the web page and consider escaping dangerous characters using String.escapeHtml4() when visualizing in an HTML context.

References

OWASP - Cross-Site Scripting (XSS)

OWASP - Code Review Guide

OWASP - Cross-Site Scripting Prevention Cheat Sheet

SalesForce - Security Guidelines for Apex and Visualforce Development

SalesForce - Secure Coding Cross-Site Scripting