+ Start a Discussion
Ram SRam S 

Fix Potential Cross-site Scripting Vectors

Hi All,
If any one finds difficulties in passing this challenge plz make changes in the VF page:
<apex:outputText value="{!sampleMergeField1}"/> <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/> <apex:outputText > {!sampleMergeField3} </apex:outputText> <script> document.write('{!JSINHTMLENCODE(sampleMergeField4)}'); </script> {!sampleMergeField5} <script> var x = '{!JSENCODE(sampleMergeField6)}'; </script> <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>

Thanks,
Ram
Best Answer chosen by Ram S
Ram SRam S
<apex:outputText value="{!sampleMergeField1}"/> <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/> <apex:outputText > {!sampleMergeField3} </apex:outputText> <script> document.write('{!JSINHTMLENCODE(sampleMergeField4)}'); </script> {!sampleMergeField5} <script> var x = '{!JSENCODE(sampleMergeField6)}'; </script> <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>

All Answers

Ram SRam S
<apex:outputText value="{!sampleMergeField1}"/> <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/> <apex:outputText > {!sampleMergeField3} </apex:outputText> <script> document.write('{!JSINHTMLENCODE(sampleMergeField4)}'); </script> {!sampleMergeField5} <script> var x = '{!JSENCODE(sampleMergeField6)}'; </script> <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
This was selected as the best answer
mahamed raheemmahamed raheem
For me getting below error

User-added image
Pavlo ShchurPavlo Shchur
Hi Mahamed Raheem, make sure you took into account the suggestion which was provided by Ram S. Otherwise, show your markup.
Mahesh_GollaMahesh_Golla
HI Raheem,
If you are doing "Identify Potential Cross-Site Scripting Vectors"  unit challenge, you just need to edit the comment lines to either YES or NO.
So the answer will be:
Line 10: <!-- sampleMergeField1 is vulnerable to XSS: NO -->
Line 14: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
Line 20: <!-- sampleMergeField1 is vulnerable to XSS: NO -->
Line 28: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
Line 32: <!-- sampleMergeField1 is vulnerable to XSS: NO -->
Line 38: <!-- sampleMergeField1 is vulnerable to XSS: YES -->
Line 42: <!-- sampleMergeField1 is vulnerable to XSS: YES -->

 
Yves Asselin 3Yves Asselin 3
I tell you... the guys that write these are someting else... I just dont understand things like #4...


 <style>
              .foo {
                     color: #{!sampleMergeField4};
                 }
</style>

Following RAM 5's answer  I added the following code but I just dont understand how we were supposed to figure this out...

            <style>
                .foo {
                    color: document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
                }
            </style>

Anyway, this code worked for me...


<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!HTMLENCODE(sampleMergeField2)}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS:YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS:NO -->
       
       
            <style>
                .foo {
                    color: document.write('{!JSINHTMLENCODE(sampleMergeField4)}');
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS:YES -->
             
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS:NO -->
            
            
            <script>
                var x = '{!JSENCODE(sampleMergeField6)}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS:YES -->
            
            
            <apex:outputLabel value="{!HTMLENCODE(sampleMergeField7)}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS:YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>
Kundan Shukla 3Kundan Shukla 3
Hey Peers,

Update to this question and its answer. 
You do not need to put the additional functions or wrap the merg fields in the addtional functions as mentioned above.

What you need to do is, mention the correct merge field name in the comment and specify whether it is vulnerable or not.
For example, in case of following merge field.

<apex:outputText value="{!sampleMergeField2}" escape="false"/>
<!-- sampleMergeField2 is vulnerable to XSS: YES -->

Note the comment. Mention correct merge field name.

Hope this help you. Certainly worked for me. 
Salman Khan 180Salman Khan 180
Thanks for sharing this post, it was great reading this article! would like to know more! keep in touch and stay connected! Also Check here
https://ividmateapp.com