Is there a way through the .net framework or some other package to sanitize strings so that they can be safely used in sosl? Is there any larger standard that SOSL falls under?
I was able to find How to pass a variable to the SOQL where clause? and Escaping reserverved characters in SOSL queries, but they both deal with solving specific cases rather than a general solution.
I would prefer not to roll my own solution.
Attribution to: Ryan Gates
Possible Suggestion/Solution #1
These links should give you some good information on Injection.. For the most part I don't believe Salesforce has the same security risks because it doesn't use SQL, which does induce some limitations, while adding some security as a bi-product.
https://www.salesforce.com/us/developer/docs/pages/Content/pages_security_tips_soql_injection.htm
http://wikisf.blogspot.in/2012/08/preventing-soql-injection.html
Also check into the security scanner, personally I haven't used it but it may assist you.
http://security.force.com/security/tools/forcecom/scanner
Attribution to: EricSSH
Possible Suggestion/Solution #2
From Dynamic SOSL - SOSL Injection:
SOSL injection is a technique by which a user causes your application to execute database methods you did not intend by passing SOSL statements into your code. This can occur in Apex code whenever your application relies on end user input to construct a dynamic SOSL statement and you do not handle the input properly.
To prevent SOSL injection, use the
escapeSingleQuotes
method. This method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.
Based on that is should be sufficient to escape any single quote characters in the user based input before merging it with your dynamic SOSL.
Attribution to: Daniel Ballinger
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/32799