How can I avoid the security risks with escape=false in salesforce? - Forcetalks

Tagged: Data Security, Limits, Salesforce Security, Salesforce Security Review

Salesforce® Discussions

How can I avoid the security risks with escape=false in salesforce?

Posted by PRANAV on September 19, 2016 at 12:59 PM

Hi All,

How can I avoid the security risks with escape=false in salesforce?

Thanks

Mohit replied 9 years, 7 months ago 2 Members · 1 Reply
1 Reply

Mohit

Member
September 22, 2016 at 6:05 AM

Hi Pranav,

A Boolean value that specifies whether sensitive HTML and XML characters should be escaped in the HTML output generated by this component. If you do not specify escape=”false”, the character escape sequence displays as written. Be aware that setting this value to “false” may be a security risk because it allows arbitrary content, including JavaScript, that could be used in a malicious manner.

By default, nearly all Visualforce tags escape the XSS-vulnerable characters. It is possible to disable this behavior by setting the optional attribute escape=”false”. For example, the following output is vulnerable to XSS attacks:

<apex:outputText escape=”false” value=”{!$CurrentPage.parameters.userInput}” />

Hope this help you

Thanks.

Log In to reply.