[SalesForce] How to JSENCODE from an apex controller

I select a list of sObjects in my controller then pass directly to my visualforce page where I render out as a javascript object. I can't use JSENCODE in the visualforce page because I need the serialized object to be rendered as a JS Object. Instead, I think I need to iterate through the values in Apex and make sure they are encoded to protect against XSS. Any recommendations on the proper way to do this?

Controller

    recipientList = Database.query('select Id, Name, Email from Contact where AccountId=\'' + String.escapeSingleQuotes(originObjectIdString) + '\' and Contact.Name!=Null and Contact.Email!=Null');

serializedRecipientOptions =
JSON.serialize(recipientList);

VF Page

<script type='text/javascript'>
var myEscapedObject = {
serializedRecipientOptions: {!
serializedRecipientOptions}
}
</script>

I was thinking something like this in the controller code (except this doesn't work because JSENCODE is not defined in the controller)

List<sObject> escapedRecipientList = new List<sObject>();
            for(sObject ind_recipient:recipientList){
                ind_recipient.Id = JSENCODE(ind_recipient.Id);
                ind_recipient.Name = JSENCODE(ind_recipient.Name);
                ind_recipient.Email = JSENCODE(ind_recipient.Email);
                escapedRecipientList.push(ind_recipient);
            }
            return escapedRecipientList;

Any ideas?

Best Answer

You can use JSENCODE in tandem with the built-in Javascript method JSON.parse.

var myEscapedObject = JSON.parse("{!JSENCODE(serializedOptions)}");

Related Solutions

[SalesForce] Apex JSON.serialize() with null values (RELOADED)

Nulls are being rendered in the latest JSON (32.0/33.0). You must explicitly the set the value to null for it to work. Consider the following code:

Account a = new Account(Name='test',Industry=null);
System.debug(LoggingLevel.ERROR, JSON.serialize(a));

Output:

{"attributes":{"type":"Account"},"Name":"test","Industry":null}

If you need every single field, you'll have to do something like:

Account a = new Account();
for(SObjectField f: account.sobjecttype.getdescribe().fields.getmap().values()) {
    try { a.put(f, null); } catch(exception e) { }
}

Even better, you could always just use a Map, which avoids the errors of field editability:

Map<String, Object> a = new Map<String, Object>();
SObject b = [SELECT Id, Name FROM Account LIMIT 1];
for(SObjectField f: account.sobjecttype.getdescribe().fields.getmap().values()) {
    try { a.put(String.valueOf(f), b.get(f)); } 
    catch(Exception e) { a.put(String.valueOf(f), null); }
}
System.debug(logginglevel.error, json.serialize(a));

I've just tried this code in executeAnonymous and came up with fully realized JSON. Note that I use a try-catch here because queried SObjects generate errors for missing fields. If you're using a manually constructed SObject, you'll not have to worry about catching errors.

Finally, note that executeAnonymous tends to always run in the latest version. You won't normally see differences in execution contexts because the entire transaction is set to version 32.0 mode when running executeAnonymous. To emulate a lower version, you'd have to write a Visualforce page and set the version of the page to a lower value, and then also set the controller's version to that lower value, etc...

Alternatively, you could write a REST class, and call that REST function. That should also set the version correctly. Since executeAnonymouse is basically an eval(), it tends to behave in the latest version, because it has to be compiled on demand.

[SalesForce] value don’t pass to controller

Remove getState() and setState() methods, because you use auto property

public String state {get;set;}

public PageReference MapFilter() {
    system.debug('----------------------->'+state);
    return null;
}

And wrap table in form tag

<apex:form >
    <td>
        <apex:selectList value="{!state}" multiselect="false" size="1">
            <apex:selectOptions value="{!StateFilter}"/>
        </apex:selectList>
    </td>
    <p/>
    <td>
        <apex:commandButton value="Filtrar" action="{!MapFilter}"/>
    </td>
</apex:form>

Best Answer

Related Solutions

[SalesForce] Apex JSON.serialize() with null values (RELOADED)

[SalesForce] value don’t pass to controller

Related Topic