Activity Forums Salesforce® Discussions My app was rejected by Salesforce Review with error related to JavaScript.

  • My app was rejected by Salesforce Review with error related to JavaScript.

    Posted by Obivan on March 16, 2016 at 7:13 am

    I sent a small managed packaged app for review in Salesforce Appexchange. However my app was flagged by SFDC Security Review team. The gist of their concern was
    “JavaScript of any type is not allowed to run within the Salesforce.com application context. This includes JavaScript blocks within HomePageComponents, WebLinks, and all other components that are run under the Salesforce.com DOM.”

    The culprit, I think, are short javascript code that we used for weblinks on some buttons. For example we have a button for fetching info of selected records through GETRECORDIDS() , preparing a redirect URL, and open a VF page.

    Anyway to get around the problem and get the app listed on AppExchange?

    Obivan replied 7 years, 11 months ago 2 Members · 1 Reply
  • 1 Reply
  • Shawn Clarke

    Member
    March 17, 2016 at 9:52 am

    Though it is not mentioned anywhere explicitly, the managed packaged apps are first tested by automated scripts from Salesforce.com side, and once found, they flag JS code as possible Cross-Site Scripting vulnerability.

    Custom Javascript code is always vulnerable to ‘Code Injections’ and are therefore considered a security risk by SFDC. Checkout this post to understand more
    https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting

    The problem has a twofold solution. First you have to make sure that you are using proper encoding functions around your JS codes
    ``

    Once you have done that, you can request re-review of your app. You would have to convince the review team that your app was flagged a false positive and is not vulnerable.

Log In to reply.

Popular Salesforce Blogs

Popular Salesforce Videos