Cross-Site Scripting (XSS) is a security gap, which appears when an attacker executes HTML, JavaScript, VBScript code in your application. As a result, the attacker can steal session cookies, passwords or crash the page. XSS is one of the most serious and common attacks of WEB applications. Protection from XSS attacks is especially important for external pages, as in internal pages only a limited number of users have access (but they are still at risk).
Example (vulnerable):
Apex controller:
|
1 2 3 4 5 6 |
public class DemoXSS { public String strXSS{get; set;} public DemoXSS() { strXSS = ‘alert(document.cookie);’; } } |
VP Page:
|
1 2 3 4 5 6 7 8 9 |
<apex:page controller=”DemoXSS”> <script type='text/javascript'> function demoXSS() { {!strXSS} } </script> <input type="button" onclick="demoXSS();"/> </apex:page> |
As a result, the JavaScript code is executed and obtains information about a certain cookie. The variable strXSS can contain anything and therefore cause irreversible damage.
In order to avoid such a danger, characters need to be encoded. For example if the variable ‘strXSS’ is used in the context of HTML then the characters ‘<’ and ’>’ are equivalent to ‘<’ and ’>’ accordingly. In the context of Javascript these characters are equivalent to ‘\u003C’ and ’\u003E’ (link).
The Salesforce platform provides the following VisualForce encoding functions:
- JSENCODE — performs string encoding within a Javascript string context
- HTMLENCODE — encodes every character with the corresponding HTML character to avoid interpretation of characters as markup.
- URLENCODE — performs URI encoding (% style encoding) within a URL component context
- JSINHTMLENCODE — a convenient method that is equivalent to the composition of HTMLENCODE(JSENCODE(x)).
You find more information here: link.
Example of encoding some characters: 
Example (Safe):
Controller:
|
1 2 3 4 5 6 |
public class DemoXSS{ public String strXSS{get; set;} public DemoXSS(){ strXSS = ‘alert(document.cookie);’; } } |
Visualforce:
|
1 2 3 4 5 6 7 8 9 |
<apex:page controller=”DemoXSS”> <script type='text/javascript'> function demoXSS(){ {!JSENCODE(strXSS)} } </script> <input type="button" onclick="demoXSS();"> </input> </apex:page> |
Example (vulnerable):
Let’s suppose that we want to show the following string in italic:
|
1 |
“Hello <script> alert(1); </script>;” |
We decide to write it like this:
|
1 |
<apex:outputText escape="false" value=”<i> Hello {!StrXSS} </i>”> |
In the component <apex:outputText> we set up the attribute escape=false and exactly this makes the output vulnerable.
Note: Salesforce makes sure to reduce these vulnerabilities, so pages that are built with Apex and VisualForce are protected against XSS and sets by default escape="true" in the components, which can execute JavaScript.
Controller:
|
1 2 3 4 5 6 |
public class DemoXSS{ public String strXSS{get;set;} public DemoXSS(){ strXSS = ‘<script> alert(1); </script>’; } } |
VF Page:
|
1 2 3 |
<apex:page controller=”DemoXSS”> <apex:outputText escape="false" value=”<i> Hello {!strXSS} </i>”> </apex:page> |
As a result, only the word «Hello» will be italic and the JavaScript code is executed, which displays a pop-up message (‘alert’ command).
To protect this component we need to use HTMLENCODE.
Example (Safe):
Controller:
|
1 2 3 4 5 6 |
public class DemoXSS{ public String strXSS{get;set;} public DemoXSS(){ strXSS = ‘<script> alert(1); </script>’; } } |
Visualforce:
|
1 2 3 |
<apex:page controller=”DemoXSS”> <apex:outputText escape="false" value=”<i> Hello {! HTMLENCODE (strXSS)} </i>”> </apex:page> |
As a result, the screen displays the following text in italics:
Hello ‘<script> alert(1); </script>
XSS vulnerability applies also to the URL For safety reasons, you need to use URLENCODE.
Here you find more details about testing XSS: link