[SalesForce] How to prevent html tags rendering as html entities when

I have an apex apex:outputtext used in VF page with escape="true". Setting escape = true shows the html entities instead of displaying the required html format. As the code is in managed package this should be XSS free using either escape=true or using HTMLENCODE VF function. Making XSS free makes the field to show the html entities.
For example

Controller:

String htmlString = '<p>Hello World</p>';

VF Page:

<apex:outputtext escape="true" value="{!htmlString }"/>

or just:

{!HTMLENCODE(htmlString )}

will give the output:

&lt;p&gt;Hello World&lt;p&gt;

Expected result is <p>Hello World</p>. So how to get this output with XSS fix?

Best Answer

Thinking about it, you will never be able to use the escape="true" attribute to achieve what you want. You want your generated HTML to be rendered by the browser so you have to use escape="false"

That means you have to sanitize your HTML in the controller prior to it being rendered by your VF page. Which means you need to think about what you want to allow to pass that sanitization and what may not pass.

There's some good information about the topic on the OWASP web site and some more Salesforce specific stuff on developerforce. Looks like what you really need is an APEX version of the antisamy library.

I don't know of such a project, though others have used a web service to achieve the sanitization outside of the Salesforce environment. Surely not what you look for.

A Salesforce version of OWASPs ESAPI library has been published by Salesforce itself. That might help but unfortunately is no replacement for AntiSamy.

Related Solutions

[SalesForce] VisualForce page to allow inline editing of EmailTemplate HTML

I tried to complete your code to achieve what you describe and found a little problem: sending the email will create a Task object, which conflicts with saving an EmailTemplate (you get a MIXED_DML_OPERATION).

What I ended up doing is creating separate buttons for the save and the email. I used a TemporalTemplate to store the modified version so I can reuse it.

You may be able to avoid the MIXED_DML_OPERATION by using a @Future method to send the email after the save.

Here's my code:

<apex:page controller="EmailTemplateController">
<apex:form >
<apex:pageBlock >
<apex:pageBlockButtons >
<apex:commandButton action="{!sendMail}" value="Send Email"/>
<apex:commandButton action="{!saveTemplate}" value="Save Template"/>
</apex:pageBlockButtons>
<apex:pageBlockSection columns="1">
<apex:pageBlockSectionItem >
    <apex:outputLabel value="Target Contact" />
    <apex:inputField value="{!targetContact.ReportsToId}"/>    
</apex:pageBlockSectionItem>
<apex:pageBlockSectionItem >
    <apex:outputLabel value="Edit Template" />
    <apex:inputTextarea id="editTemplate" value="{!editedTemplate}" richText="true" cols="100" rows="15"/>
</apex:pageBlockSectionItem>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>

And the controller:

public with sharing class EmailTemplateController {
    public Contact targetContact {get;set;}
    public String editedTemplate {get;set;}
    private String templateId = null;
    public EmailTemplateController() {
        targetContact = new Contact();
        if (ApexPages.currentPage().getParameters().containsKey('template')) {
            templateId = ApexPages.currentPage().getParameters().get('template');
            this.editedTemplate = [select HtmlValue from EmailTemplate where Id = :templateId].HtmlValue;
        }
    }

    public PageReference saveTemplate() {
        EmailTemplate template =  [select Id, HtmlValue from EmailTemplate where Name = 'TemporalTemplate'];
        template.HtmlValue = editedTemplate;
        update template;

        return null;
    }

    public PageReference sendMail() {
        EmailTemplate template =  [select Id, HtmlValue from EmailTemplate where Name = 'TemporalTemplate'];

        Messaging.SingleEmailMessage email = new Messaging.SingleEmailMessage();
        email.setSenderDisplayName('Tester');
        email.setTemplateId(template.Id);
        email.setTargetObjectId(targetContact.ReportsToId);
        Messaging.sendEmail(new Messaging.SingleEmailMessage[] {email});
        return null;
    }
}

[SalesForce] Salesforce reformatting HTML in visualforce page when rendering SVG

Definitely seems like a bug with the processing engine to me. If you wrap everything inside the <h1> tags with no-layout output panel then the generated HTML comes out as expected:

<apex:page standardstylesheets="false" showheader="false" sidebar="false" docType="html-5.0" applyHtmlTag="false">
  <div>
    <apex:outputPanel layout="none">
        <h1>
          <a href="/">
            <div>
              <svg height="480" version="1.1" width="640" xmlns="http://www.w3.org/2000/svg" style="overflow: hidden; position: relative; top: -0.3125px;">
                <desc style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">Created with Raphaël 2.0.1</desc>
                <defs style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></defs>
                <ellipse cx="320" cy="240" rx="128" ry="180.48" fill="none" stroke="#555555" transform="matrix(1,0,0,1,0,0)" stroke-width="1" opacity="0.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); opacity: 0.5;"></ellipse>
              </svg>
            </div>
          </a>
        </h1>
      </apex:outputPanel>
    <hr/>
  </div>
</apex:page>

Best Answer

Related Solutions

[SalesForce] VisualForce page to allow inline editing of EmailTemplate HTML

[SalesForce] Salesforce reformatting HTML in visualforce page when rendering SVG

Related Topic