Salesforce B2C Commerce 24.7 > B2C Commerce Security Guide > Security Best Practices for Developers

Commerce Script Injection

Server script injection, or remote code execution, is a class of attack where maliciously crafted input is run in a privileged code execution context. This class of attack lets an attacker control the code executed on the server.

Script injection is possible when a script interprets part or all of an unsafe or untrusted data input as code, or a snippet of code, and runs it. The most common error that results in code injection vulnerability is to call the global method eval( string ) with an argument tainted with untrusted data. The eval method executes the passed string as a script expression. This method is deprecated and should be avoided because of the inherent security risk.

Related information
Class global (eval method)

Infocenter Retirement: On June 30, 2023, the Infocenter was retired, and documentation currently hosted on the Infocenter will be published to Salesforce Help, Commerce Cloud Developer Center, and Salesforce B2C Commerce Developer Documentation Resources. For more information, see the release note.