+ Start a Discussion

Unescape HTML caused Security Review issue

I'm looking to rendered a Visualforce Page as a Doc File.

On the content of the document i need to include the html stored in the database (entered by a text area with the standard rich text editor). The problem is that i failed the security review because of this.


Any help or work around to pass the review?


This is where it failed:


50. public FooController() //FooController.cls
53. currentId = ApexPages.currentPage().getParameters().get('cId');
1. <!-- //Foo.page
412. <div><apex:outputText escape="false" value="{!fooObj.richText__c}"/></div>



I also tried to wrap my object with an inner class to avoid mapping directly the stored field, but without luck....


Thanks in advance,





Well in case I am understanding your question correctly your given code snippet failed the security review of salesforce.

If that is the case you can do eactly what I did in my code, I am attaching the snippet below:-


var strObj1Id="{!SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(Object1Id, '&','&#38;'), '>','&#62;'), '<','&#60;'),'\'','&#39;'),'"','&#34;')}";//To Prevent XSS attack added on 08/06/2009.
var arrSelectedObj2 = {!SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(SUBSTITUTE(GETRECORDIDS($ObjectType.Object2 ), '&','&#38;'), '>','&#62;'), '<','&#60;'),'\'','&#39;'),'"','&#34;')};//To Prevent XSS attack added on 08/06/2009.


This is  what I had done to make my code acceptable from security stand-point.

This was done in javascript snippet, but it will be a pointer nevertheless.


Did this answer your question? If not, let me know what didn't work, or if so, please mark it solved.