Template Best Practices

Building a secure custom website with Salesforce B2C Commerce requires paying attention to all areas that are vulnerable to attack and preventing it.

To prevent malicious attacks through content manipulation, you must ensure that all shown content is encoded.

If a script expression such as ${pdict.ProductSearchResult.searchPhrase} is used in an ISML template, where the content type is set via the following:

<iscontent type="text/html" charset="UTF-8" compact="true">

The script result is automatically HTML encoded.

But if the same expression is used in an ISML template that is included via <isinclude template=""> and no content type is set in the included ISML snippet, the content type text/plain is assumed and no HTML encoding takes place. This inconsistency can lead to XSS problems.

To correct this situation, you must explicitly set the content type or use <isprint value="{}"/> to ensure the resulting HTML is encoded.

Setting the Content Type

To ensure that a script expression is HTML encoded, you must set the included page's content type to text/html via the following statement:

<iscontent type="text/html" charset="UTF-8" compact="true">
CAUTION:
If you include pages, ensure that you set the content type, as described.

Using <isprint>

In SiteGenesis, we have addressed this problem by using the <isprint> element instead of merely using the following:

${pdict.ProductSearchResult.searchPhrase}

The <isprint> element ensures that special characters are HTML encoded.

For example:

<isprint value="${pdict.ProductSearchResult.searchPhrase}"/>

Results in:

&#39;;alert&#40;&#39;hallo welt!&#39;&#41;;x=&#39;

This notation avoids cross-side scripting attacks, because the alert() function is obfuscated for the browser.

CAUTION:
Check all areas in your code where ${pdict.ProductSearchResult.searchPhrase} is used and add the <isprint> function, as described.

Example - searchresultheader.isml

In a customized searchresultheader.isml template, use the following:

<span class="term">"
<isif condition="${!empty(pdict.ProductSearchResult.searchPhrase)}">
<isprint value="${pdict.ProductSearchResult.searchPhrase}"/>
</isif>
</span>

Instead of this:

<span class="term">
"${!empty(pdict.ProductSearchResult.searchPhrase)?pdict.ProductSearchResult.searchPhrase:''}"
</span>