salesforce_security_impl_guide
salesforce_security_impl_guide
salesforce_security_impl_guide
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security Tips for Apex and Visualforce Development<br />
Formula Tags<br />
Formula Tags<br />
The general syntax of these tags is: {!FUNCTION()} or {!$OBJECT.ATTRIBUTE} . For example, if a developer wanted to<br />
include a user's session ID in a link, they could create the link using the following syntax:<br />
<br />
Go to portal<br />
Which renders output similar to the following:<br />
Go to portal<br />
Formula expressions can be function calls or include information about platform objects, a user's environment, system environment,<br />
and the request environment. An important feature of these expressions is that data is not escaped during rendering. Since expressions<br />
are rendered on the server, it is not possible to escape rendered data on the client using JavaScript or other client-side technology. This<br />
can lead to potentially dangerous situations if the formula expression references non-system data (that is potentially hostile or editable<br />
data) and the expression itself is not wrapped in a function to escape the output during rendering. A common vulnerability is created<br />
by the use of the {!$Request.*} expression to access request parameters.<br />
<br />
<br />
{!$Request.title}<br />
<br />
Hello world!<br />
<br />
Unfortunately, the unescaped {!$Request.title} tag also results in a cross-site scripting vulnerability. For example, the request:<br />
http://example.com/demo/hello.htmltitle=Adios%3C%2Ftitle%3E%3Cscript%3Ealert('xss')%3C%2Fscript%3E<br />
results in the output:<br />
Adiosalert('xss')Hello<br />
world!<br />
The standard mechanism to do server-side escaping is through the use of the SUBSTITUTE() formula tag. Given the placement of<br />
the {!$Request.*} expression in the example, the above attack can be prevented by using the following nested SUBSTITUTE()<br />
calls.<br />
<br />
<br />
{! SUBSTITUTE(SUBSTITUTE($Request.title,"")}<br />
<br />
Hello world!<br />
<br />
Depending on the placement of the tag and usage of the data, both the characters needing escaping, as well as their escaped counterparts,<br />
can vary. For instance, this statement:<br />
var ret = "{!$Request.retURL}";script>var ret = "{!$Request.retURL}";<br />
102