A developer has an Apex controller for a Visualforce page that takes an ID as a URL parameter.
How should the developer prevent a cross site scripting vulnerability?
A. ApexPages.currentPage().getParameters().get(‘url_param’)
B. String.escapeSingleQuotes(ApexPages.currentPage().getParameters().get(‘url_param’))
C. String.ValueOf(ApexPages.currentPage().getParameters().get(‘url_param’))
D. ApexPages.currentPage().getParameters().get(‘url_param’).escapeHtml4()
CRT-450: Salesforce Certified Platform Developer IFree dumps for CRT-450 in PDF format.High quality CRT-450 PDF and software. VALID exam to help you pass. |
D seems to be more complete, as it transforms ALL special characters (not only single quotes) to Html4 entities
B is correct answer
https://salesforce.stackexchange.com/questions/206284/soql-injection-vulnerability
In official document, it mentions do not use String.escapeHtml4 function for security reasons
https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
Do not use the built in Apex String Encoding functions: String.escapeEcmaScript(), String.escapeHtml3(), and String.escapeHtml4(). These functions are based on Apache’s StringEscapeUtils package which was not designed for security encoding and should not be used.
Do not use the built in Apex String Encoding functions: String.escapeEcmaScript(), String.escapeHtml3(), and String.escapeHtml4(). These functions are based on Apache’s StringEscapeUtils package which was not designed for security encoding and should not be used.
reference is here https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
B Is Correct Answer
https://salesforce.stackexchange.com/questions/206284/soql-injection-vulnerability
Correct ans is D
https://salesforce.stackexchange.com/questions/233885/apex-classes-should-escape-sanitize-strings-obtained-from-url-parameters-how
B Is Correct Answer because String.escapeSingleQuotes can be used to prevent attackers from accessing restricted data in the org.
B Is Correct Answer because String.escapeSingleQuotes can be used to prevent attackers from accessing restricted data in the org.