[SalesForce] How to avoid security risks with escape=”False” in output tags

Ok, say for example the output we need on the page must include HTML tags and we want to avoid any security risks…..

Scenerio 1: No user input, string is completely generated by apex code and displayed by the page. – Is there any risk, if so what is the best way to avoid

Scenerio 2: String is constructed in a way that user input is added to the string. The input has string.escapeSingleQuotes() AND .escapeHTML4() applied. – The obvious risks are Injection and XSS but those would appear to be negated by the applied methods. What if any additional risks are present?

Keep in mind that the application needs the output of the string to contain the HTML elements the apex code adds so it will not be an option to set escape="true"

This question is both a learning question and a best practice question as this is one of the most frequent reasons apps fail security review.

Best Answer

For the first scenario, there's no risk, because the code being emitted is directly created by the developer and is under the developer's full control. There's no risk of malicious injection, so there's no security risk.

For the second scenario, you should escape the content that's not under your control. For example, you might do this:

output += String.format('<td>{0}</td>', new String[] { userInput.escapeHtml4(); });

The intent is to make a cell (td) with whatever user content they desire. By escaping the input so that greater-than, less-than, ampersand, quote, and apostrophe are replaced with HTML entities, you guarantee that no script injection can occur, malforming the page or even executing arbitrary JavaScript.

escapeSingleQuotes is for SOQL, and should not be used for escaping HTML. It won't cause any security problem, but it would cause extra apostrophes to appear in the output. Other than that, there's no other risks that you'd run into, since escaping the four main character entities that would be used for XSS will eliminate any known security risk.

Related Solutions

[SalesForce] Checkmarx and JSON.serialize

Your page's javascript is effectively using the eval style of deserializing JSON which has been frowned upon in general ever since browsers started having pretty widespread support for JSON.parse.

If you don't need to support old versions of IE (and if you do there's polyfils) it's really, really a better idea to do something like

var recent = JSON.parse('{!JSENCODE(recent)}');

Is it really that much better from a security perspective? Not really dramatically in your case, but in more complex situations it can possibly have a tangible impact.

Also, since JSON is a subset of javascript in modern browsers it's not uncommon to see a performance boost using JSON methods over eval-style. JSON methods also handle escape characters that might be invalid in other places.

[SalesForce] XSS : Rich textarea content security review issue when using escape=false

You should not fail the security review because of this, as rich text areas are safe types to render unescaped. Other safe types are listed in the secure coding guidelines. However be aware that what determines the safety of the data type is not the input type in the visualforce page but the data type in your object model. Make sure it's really an RTF type.

I think you may be referring to being flagged by the source scanner as opposed to the security review (which is a manual process). If that is the case, please send an email to sourcescanner@salesforce.com and describe the false positive. There are no guarantees that we can squash every false positive, but we do try to improve the quality of the results over time.

Best Answer

Related Solutions

[SalesForce] Checkmarx and JSON.serialize

[SalesForce] XSS : Rich textarea content security review issue when using escape=false

Related Topic