+ Start a Discussion
Shephali SwarnkarShephali Swarnkar 

How to Mitigate Reflected XSS


Hi All,    
                   I have got Reflected XSS Vulnerabilities for my App.Mentioned lines in report are:

Reproduction steps:
1.Login to the native application
2.Navigate to the respective tab
3.Select user from drop down list,Intercept the request

4.Apply attack value in mention parameter name.
                           I am unable to find out that where and what needs to be changed.
Note : In the above mentioned page we used to select the user from drop down list and get the details of task assigned to that user.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Upto My understanding i may got this XSS issue because i have used following apex code to get the details of user tasklist:

<apex:pageBlock title="Details" id="block1">
    <apex:detail subject="{!$CurrentPage.parameters.UserInput}" relatedList="false"/>
 </apex:pageBlock>
  

But at the same time when i browse this link https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting#Apex_and_Visualforce_Applications

i found 
<apex:outputText>
  {!$CurrentPage.parameters.userInput} <!-- safe (auto HTML Encoded) -->
</apex:outputText>


Question : If this is not vulnerable to XSS then why did i got this reflected XSS for my App.

Need Help to find out exact vulnerable code and soluttion for that.

Thanks                
James LoghryJames Loghry
You'll need to sanitize the inputs to prevent potential injections.  You can do this by using an encoding function such as HTMLENCODE (I think that's the correct one, anyway), or sanitizing the input in your controller, and then referencing the resulting member variable in your VF tag instead.
Shephali SwarnkarShephali Swarnkar

Hi James,
          Thanks for your reply.
      Can you please explain with example that how to sanitize the input and do we need sanitize the input only when we use Merge fields.
As following : 
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
 eg1.    <apex:commandlink value="{!t.Owner.Name}" rerender="block1">
code after sanitize the input:
     <apex:commandlink value="{!JSENCODE(HTMLENCODE(t.Owner.Name)}" rerender="block1"> //please Correct if wrong.
I think i dont need JSENCODE here as i am not using any java script.

what About other inputs for example : <apex:selectList size="1" value="{!SelectedOwnerId}"> 

Should i encode this too as this is where enduser will select the values from dropdown list?????
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
eg2. Encoding for above mentioned code.
  <apex:pageBlock title="Details" id="block1">
             <apex:detail subject="{!$CurrentPage.parameters.UserInput}" relatedList="false"/>
        </apex:pageBlock>  

Code After Sanitize the input
            <apex:pageBlock title="Details" id="block1">
               <apex:detail subject="{!HTMLENCODE($CurrentPage.parameters.UserInput)}" relatedList="false"/>
            </apex:pageBlock>

Thanks