Salesforce B2C Commerce Data Validation

Validation ensures data meets expected formats and requirements. Invalid requests are typically rejected, and an error is returned to users. There are multiple validation points, but this guide focuses on Client-Side and Server-Side validation.

Client-Side data validation: Implemented using JavaScript to check data in the user's browser before sending it to the server.
Server-Side data validation: Added as an extra step in the business flow to validate data type and content before processing.

Salesforce Commerce Cloud recommends performing light Client-Side validation to improve user experience but always enforcing thorough Server-Side validation, duplicating all client-side checks.

Unlock SFCC Pro Tips!

Imagine what you’re missing in our other guides! Stay ahead of the competition, get exclusive pro tips, and master Salesforce Commerce Cloud like never before.

👉 Subscribe NOW and never struggle with SFCC again!

Threats

Helps prevent injection attacks, such as Cross-Site Scripting (XSS).

Why is Data Validation Important?

Validation ensures that bad or malicious data never enters an application.
Duplicating Client-Side checks on the Server prevents attackers from bypassing the front-end and sending manipulated data.

How Does Data Validation Protect SFCC from Threats?

Client-Side validation provides immediate feedback to users for minor input errors.
Server-Side validation ensures malicious users cannot send direct requests with altered data.

Common Issues in Data Validation

Client-Only Checking

Disabling a button in the front-end does not prevent an attacker from modifying the form via browser developer tools and submitting invalid data.

<!-- authorized_purchase.isml -->
<form action="${URLUtils.httpsContinue()}">
    <input type="submit" value="Submit My Purchase" disabled="disabled"/>
</form>

// SubmitPurchase.js
if(parameters.submit_purchase != null && parameters.submit_purchase.length > 0) { 
    submitpurchase();
}

Exposing Internal Data

Validating data in the front-end may expose sensitive internal logic, such as valid promo codes.

<!-- flashsalecodes.isml -->
<form name="myForm" onsubmit="return isGoodCode()">
    <input type="text" name="code"/>
    <input type="submit" value="Use Promo Code"/>
</form>

Inexact Validation

Using incorrect regular expressions can introduce security vulnerabilities.
Example: A validation that aims to prevent numbers in a username but mistakenly allows special characters.

// TestUsername.js
// Returns true if the username does not contain digits
function isGoodUserName(username) {
    var re = /^[D]+$/; // only matches if the input does not contain digits
    return re.exec(username) == null;
}

Best Practices for Data Validation

Ensuring Server-Side Validation

Always validate on the server to block manipulation attempts in the client.

// SubmitPurchase.js
if(parameters.submit_purchase != null && parameters.submit_purchase.length > 0) { 
    submitpurchase();
} else {
    return "User is unauthorized to submit a purchase";
}

Server-Side Validation for Promo Codes

// ValidatePromo.js
var good_codes = ["1234", "8675", "31415"];
if (parameters.code != null && parameters.code.length > 0) {
    if(good_codes.indexOf(code) == -1) {
        return "Bad Promo Code";
    }
}

Proper Regular Expressions

Using whitelists instead of blacklists is recommended.
Example of a properly designed regular expression for username validation:

// TestUsername.js
// Ensures the username contains only valid characters
function isGoodUserName(username) {
    var re = /^([a-zA-Z]+[a-zA-Z'- ]*)|([a-zA-Z'- ]*[a-zA-Z]+)$/;
    return re.exec(username) != null;
}