+ Start a Discussion

Avoid Cross-site Scripting on apex column



I have a vf page with this problem about security risk: Cross-site Scripting.

I have no idea how to solve it.


The red line is the part of my vf page where i have the problem:


<apex:pageblocktable value="{!accsandtmember}"  var="accdet">

<apex:column headervalue="ID" style="{!accdet.Otra_informaci_n__c}">


I take the Otra_informaci_n__c value from a method in an apex class.

 It's got to be something simple. Any help will be appreciated.



Best Answer chosen by Admin (Salesforce Developers) 
Chamil MadusankaChamil Madusanka

A cross-site scripting weakness occurs when dynamically generated web pages display unvalidated, unfiltered, and
unencoded user input allowing an attacker to embed malicious scripts into the generated page. This can be leveraged to
execute scripting code as if it came from the site's server on the computer of anyone who uses the site.


Cross-site scripting attacks cover a broad range of attacks where malicious HTML or client-side scripting is provided to a
web application. The web application includes the malicious scripting in a response to a user of the web application. The user
then unknowingly becomes the victim of the attack. The attacker has used the web application as an intermediary in the
attack, taking advantage of the victim's trust for the web application. Most applications that display dynamic web pages
without properly validating the data are likely to be vulnerable. Attacks against the web site are especially easy if input from
one user is intended to be displayed to another user. Some obvious possibilities include bulletin board or user commentstyle web sites, news, or e-mail archives.


Depending on the context in which the user input is being reflected to the page, Salesforce provides the utilities to stop
Cross Site Scripting vulnerabilities. The following encoding functions are available:

HTMLENCODE Encodes text and merge field values for use in HTML by replacing characters that are reserved in HTML,
such as the greater-than sign (>), with HTML entity equivalents, such as &gt;.

JSENCODE Encodes text and merge field values for use in JavaScript by inserting escape characters, such as a backslash
(\), before unsafe JavaScript characters, such as the apostrophe (').

JSINHTMLENCODE Encodes text and merge field values for use in JavaScript within HTML tags by inserting escape
characters before unsafe JavaScript characters and replacing characters that are reserved in HTML with HTML entity

URLENCODE Encodes text and merge field values for use in URLs by replacing characters that are illegal in URLs, such as
blank spaces, with the code that represent those characters as defined in RFC 3986, Uniform Resource Identifier (URI):
Generic Syntax. For example, blank spaces are replaced with %20, and exclamation points are replaced with %21.


The sample code used above which contains a Cross Site Scripting flaw:


<script>var foo = '{!$CurrentPage.parameters.userparam}';</script>

 Can be addressed by updating the code in the following manner:

<script>var foo = '{!JSENCODE($CurrentPage.parameters.userparam)}';</script>

 The user input provided through the parameter "userparam" will now be encoded.

More details on what is and what is not encoded with the functions above can be found here:


If a reply to a post answers your question or resolves your problem, please mark it as the solution to the post so that others may benefit.