Cross-site scripting

This lab explains how XSS manifests in Salesforce applications, how to validate exploitability in real UI flows, and how to implement context-safe output handling in Visualforce and Lightning components.

Executive Summary

Cross-site scripting (XSS) occurs when untrusted data is rendered in an executable browser context. In Salesforce, this often appears in custom Visualforce, Aura/LWC rendering patterns, URL parameter handling, and rich text display flows where encoding is weakened or bypassed.

Salesforce Attack Surface

  • Visualforce output rendered with escape="false"
  • Dynamic HTML insertion in Aura/LWC via unsafe DOM APIs
  • URL and query parameter reflection in page markup
  • Rich text or user-generated content displayed without sanitization
  • Custom JavaScript bridges between Lightning and Visualforce
<!-- Vulnerable Visualforce pattern -->
<apex:outputText value="{!$CurrentPage.parameters.q}" escape="false" />

Business Impact

  • Session abuse: token theft and user impersonation in active sessions
  • Data exposure: unauthorized access to records and page data
  • Action forgery: attacker-controlled actions under victim identity
  • Brand and trust damage: malicious scripts served from trusted domains
  • Chain risk: XSS used as a pivot for broader account compromise

XSS Variants in Salesforce

  • Reflected XSS: payload returned in immediate response from request parameter
  • Stored XSS: payload persisted in records and rendered to other users
  • DOM-based XSS: client-side JavaScript writes untrusted data to the DOM

Validate each variant separately because exploitability and remediation differ by rendering context.

Testing Methodology

  • Map all input sources and rendering sinks in Visualforce and Lightning views
  • Test payloads per context (HTML, attribute, URL, JavaScript string, DOM sink)
  • Confirm execution in real browser flow, not only reflected payload appearance
  • Assess blast radius by role/profile and page exposure
  • Document proof with request, rendered response, and executed behavior

Secure Engineering Patterns

  • Keep output encoding enabled by default; avoid escape="false" unless strictly controlled
  • Use framework-safe rendering paths in LWC/Aura; avoid unsafe HTML insertion
  • Sanitize untrusted rich text before display
  • Apply CSP and avoid dynamic script execution patterns
  • Separate data from executable contexts (script blocks, event attributes)
<!-- Safer default -->
<apex:outputText value="{!$CurrentPage.parameters.q}" />

// LWC guidance: do not inject untrusted input into innerHTML.

Verification Checklist

  • No user-controlled data rendered in executable context without sanitization
  • All Visualforce unsafe output paths reviewed and justified
  • DOM sinks audited in custom client-side scripts
  • Stored content rendering validated against malicious payloads
  • Regression tests confirm fixes across profiles and form factors

Lab Exercises

This lab includes hands-on exercises to practice identifying and fixing XSS vulnerabilities in Salesforce-specific flows:

  • Exercise 1: Identify reflected XSS in Visualforce parameter rendering
  • Exercise 2: Validate stored XSS through record-backed content
  • Exercise 3: Fix DOM-based XSS patterns in component JavaScript
  • Exercise 4: Apply context-aware encoding and sanitization
  • Exercise 5: Execute regression validation and retest evidence capture
Start Lab Back to Labs