I have 2 pages
- The parent page has a link, click of this link But I am calling a javascript function
function callpages (product ID) {var product = document.getElementById (ProductId) .id; Var OpptyId = {! Oppty.Id}; Var urlToOpen = "/ apex /" + '{namepacePrefix}' + 'testPage? Product = '+ product +' and OPIID '= OPTIID; Window.open (urlToOpen, '' resizable = 0, location = 0, position = 0, scrollbar = 0, width = 850, height = 350, top = 100, left = 220 '}} Where the operator ID is taken from the controller.
- In my child's page, while I have all these parameters
product value id = apex pagecentant page ( ). GetParameters (). Get ('product'); OpptyValue = ApexPagesCurrentPage () GetParameters (). Get ('OpptyId'); and these fields are then used in javascript as
function setValue () {var productId = '{productValueId}'; Window.parent.opener.document.getElementById (productId) .Value = '{productValue!}'; } Where {productValue} is taken from the controller.
I do not understand how and how my checkmarx issue
Therefore, please help me because I want to submit an application for code review.
Best Relationship
You query string parameter product Are reading it in the productValueId controller member / property and then directly output it to the Visitors Forum.
So basically whatever I give you on the query string, the output ends in the page response.
It may be possible to encode the query with some attempts, the string that will exit your javascript and execute whatever I do not want.
Example
/ Apex / ABC__ Test Page = Product = Product ID '; Warning ('xss and opti id = 006100000000001 or something like that. Encoding expression for you.
Checkmark has found a possible path. It will be necessary to remove or provide sufficient justification that it is not open for XSS.
A useful thing is to apply the data type to the values read from the query string, for example As the productValueId
No comments:
Post a Comment