Find your content:

Search form

You are here

Doubts about Stored XSS Vulnerability


In the following examples, is it necessary to apply HTMLENCODE?

{!$Label.Select_Your_Language} : Custom label 
{!lang.Name}  : SF Custom Object 
{!HotelConfig.languages} : apex class Variable 
{!uNights} : apex class Variable 


<apex:define name="langs-list">
        <apex:repeat value="{!HotelConfig.languages}" var="lang">
            <li class="{!IF(,'selected','')}"><a href="dhotel__t_home?l={!lang.Name}">{!lang.Title__c}</a></li>

<apex:outputPanel id="htnights">
       <input type="text" id="nights" readonly="true" value="{!uNights}"/>
    <apex:inputHidden id="nightsHidden" value="{!uNights}"/>

Attribution to: Cristina Pinheiro Dom Digital

Possible Suggestion/Solution #1

There are a number of good worked examples on preventing XSS vulnerabilities in the Secure Coding Cross Site Scripting: S-Control Template and Formula Tags developer force article. The examples include when you should use HTMLEncode versus URLENCODE, JSINHTMLENCODE etc... See Encoding Functions.

  • Custom label: <h3>{!$Label.Select_Your_Language}</h3>
    Yes, I'd apply HTMLEncode here unless you specifically want to allow those with permissions to set the label to include HTML characters.
  • SF Custom Object Name in hyperlink: <a href="dhotel__t_home?l={!lang.Name}">
    Yes, I'd apply URLENCODE here
  • Apex class variable: <apex:repeat value="{!HotelConfig.languages}" var="lang">
    Here the value will never be directly rendered to the client so it shouldn't be an issue.
  • Apex class Variable: <input type="text" id="nights" readonly="true" value="{!uNights}"/>
    It depends on how uNights is being set. If in any way the value could have been defined by the user than I would HTMLEncode it. If you have complete control of the value with no user input included then you don't need to.
  • Apex class Variable: <apex:inputHidden id="nightsHidden" value="{!uNights}"/>
    With other apex controls like apex:outputText the value will be encoded by default and if you want the unencoded value you must explicitly set escape="false". apex:inputHidden doesn't have the corresponding attribute so I suspect it is always encoded.

Attribution to: Daniel Ballinger
This content is remixed from stackoverflow or stackexchange. Please visit

My Block Status

My Block Content