Insecure Processing of Data

This category covers the following issues:

Cross-Site Scripting (XSS)

Why is this important?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise trusted websites. XSS attacks allow attackers to target legitimate users of a web application by sending malicious script code to them.

Check out this video for a high-level explanation:

Cross-Site Scripting

Fixing Cross-Site Scripting

Option A: Enable escaping for addError()

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for patterns like this:
public without sharing class Foo {
  Trigger.new[0].addError(vulnerableHTMLGoesHere, false);
}
  1. And ensure that escaping is enabled, or that the input is safe.
public without sharing class Foo {
  Trigger.new[0].addError(vulnerableHTMLGoesHere, true);
}
  1. Test it
  2. Ship it 🚢 and relax 🌴

Option B: Perform output encoding

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for patterns like this:
public without sharing class Foo {
  String unescapedstring = ApexPage.getCurrentPage().getParameters.get('url_param');
  String usedLater = unescapedstring;
}
  1. And ensure that the values are properly escaped/sanitized:
public without sharing class Foo {
  String unescapedstring = ApexPage.getCurrentPage().getParameters.get('url_param');
  String escapedstring = ESAPI.encoder().SFDC_HTMLENCODE(unescapedstring);
  String usedLater = escapedstring;
}
  1. Test it
  2. Ship it 🚢 and relax 🌴

More information:

Open Redirect

Why is this important?

Open Redirects allow attackers to redirect legitimate users to an attacker-controlled location. This is typically used to make phishing attacks more successful.

Check out this video for a high-level explanation:

Open Redirects

Fixing Open Redirects

Option A: Avoid dynamic values in redirects

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for patterns like this:
public without sharing class Foo {
  String unsafeLocation = ApexPage.getCurrentPage().getParameters.get('url_param');
  PageReference page() {
    return new PageReference(unsafeLocation);
  }
}
  1. Ensure that the location is either static, or the user input is sanitized.
  2. Test it
  3. Ship it 🚢 and relax 🌴

More information

Insecure Network CommunicationInsecure Use of Cryptography