I am getting user input through textarea as richtext and storing in object :
<div class="col-md-12">
<div class="col-md-12">
<div class="form-group">
<label>Account Note <span class="required-field-star">*</span></label>
<apex:inputTextarea id="notes" styleClass="form-control" value="{!object.Field1__c}" richText="true" />
</div>
</div>
</div>
Now, I want to show that text as HTML on page when I use below code it fails in security review and checkmarx.Please suggest how I can display the text as HTML, if I remove escape then it will be printed as it is with HTML tags.
<apex:outputText value="{!object.Field1__C}" escape="false" ></apex:outputText>
Best Answer
You should not fail the security review because of this, as rich text areas are safe types to render unescaped. Other safe types are listed in the secure coding guidelines. However be aware that what determines the safety of the data type is not the input type in the visualforce page but the data type in your object model. Make sure it's really an RTF type.
I think you may be referring to being flagged by the source scanner as opposed to the security review (which is a manual process). If that is the case, please send an email to sourcescanner@salesforce.com and describe the false positive. There are no guarantees that we can squash every false positive, but we do try to improve the quality of the results over time.