A developer has an Apex controller for a Visualforce page that takes an ID as a URL parameter.

6 thoughts on “A developer has an Apex controller for a Visualforce page that takes an ID as a URL parameter.”

1. D seems to be more complete, as it transforms ALL special characters (not only single quotes) to Html4 entities

   1

   Reply

2. B is correct answer

   https://salesforce.stackexchange.com/questions/206284/soql-injection-vulnerability
   In official document, it mentions do not use String.escapeHtml4 function for security reasons
   https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
   Do not use the built in Apex String Encoding functions: String.escapeEcmaScript(), String.escapeHtml3(), and String.escapeHtml4(). These functions are based on Apache’s StringEscapeUtils package which was not designed for security encoding and should not be used.

   19

   3

   Reply

3. Do not use the built in Apex String Encoding functions: String.escapeEcmaScript(), String.escapeHtml3(), and String.escapeHtml4(). These functions are based on Apache’s StringEscapeUtils package which was not designed for security encoding and should not be used.

   reference is here https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm

   B Is Correct Answer

   https://salesforce.stackexchange.com/questions/206284/soql-injection-vulnerability

   8

   Reply

4. Correct ans is D

   https://salesforce.stackexchange.com/questions/233885/apex-classes-should-escape-sanitize-strings-obtained-from-url-parameters-how

   7

   Reply

5. B Is Correct Answer because String.escapeSingleQuotes can be used to prevent attackers from accessing restricted data in the org.

   8

   Reply

6. B Is Correct Answer because String.escapeSingleQuotes can be used to prevent attackers from accessing restricted data in the org.

   6

   Reply