When a malicious html script or client side script is provided to a web application, it is called as cross-site scripting.
However, Salesforce has a special feature wherein, all standard Visual Force components, which starts with <apex> have an anti-XSS filter in place.
To disable the protection on Visual force tag
<apex: outputText escape="false" value="{!$CurrentPage.parameters.userInput}"/>
Focus on the escape="false", because due to this the security provided by Salesforce is bypassed and the code becomes vulnerable to an XSS attack again.
In general, a code is vulnerable to an XSS attack if it takes user input and outputs it directly back to the user.
Comments
Post a Comment