<h3 id="798de53e-1a62-4c90-9733-7968c078ffe5" data-toc-id="798de53e-1a62-4c90-9733-7968c078ffe5">Cross-Site Scripting Defense in Salesforce Commerce Cloud</h3>Cross-Site Scripting (XSS) is a class of vulnerabilities that allow an attacker to inject malicious scripts, such as JavaScript, into a web page that gets executed on a victim’s browser. This can allow the attacker to compromise the browser and begin to attack the victim directly through the browser.This attack is very easy to initiate for one simple reason: browsers are very trusting. Generally, they trust any content that they receive from a server; however, if the content that the browser receives has been tampered with, the browser is generally defenseless. This means the protection must fall to developers to teach the website what content is fully trusted vs. untrusted, and what to do with untrusted content.The Commerce Cloud recommendation for protecting sites against Cross-Site Scripting is Output Encode and Input Validate using built-in mechanisms. Output Encoding is used when data that lives in the application may contain untrusted data. Once that data has left the application and is placed in a web page destined for a user, the potentially compromised data should be encoded for the context in which it lives. For example, if the context is an HTML page, the data should encode HTML markup, such as the greater-than and less-than signs (<code>&gt;</code> <code>&lt;</code>).<h2 id="fed7c2a3-5343-41dd-ba34-c251dc1eb067" data-toc-id="fed7c2a3-5343-41dd-ba34-c251dc1eb067">Unlock SFCC Pro Tips!</h2>Imagine what you’re missing in our other guides! Stay ahead of the competition, get exclusive pro tips, and master Salesforce Commerce Cloud like never before.👉 <a target="" rel="noopener noreferrer" href="https://www.sfcclearning.com/subscribe">Subscribe NOW and never struggle with SFCC again!</a>Threats: Counteracts Cross-Site Scripting Attack <h2 id="c28e770c-369c-492d-a0fa-a6ee29bddb84" data-toc-id="c28e770c-369c-492d-a0fa-a6ee29bddb84">Why is this Best Practice Important?</h2>In Commerce Cloud storefronts, this attack is one of the most common vectors to attack storefront users. Since the attack uses the server as a staging area and directly attacks users' browsers, it is nearly impossible to detect when an attack is happening on the server, since the attack happens on client machines.By setting up defenses inside the application, developers can ensure that attackers cannot use the eCommerce site as a staging ground to attack storefront users.<h2 id="06675925-64ce-4f9f-ac89-a312e17b578d" data-toc-id="06675925-64ce-4f9f-ac89-a312e17b578d">How does this Best Practice protect against Threats?</h2><ul><li>Output Encoding: The preferred method for protection against XSS, output encoding sanitizes data before being sent to browsers. This neutralizes potentially malicious text without affecting how it is processed internally.</li><li>Input Validation: Unlike Output Encoding, this method examines all parameters upon receipt. If any parameter value does not conform to an expected value, the request is rejected. Input Validation is typically harder to accomplish in non-trivial cases. Commerce Cloud recommends Input Validation to examine types of data, rather than contents—for example, verifying that the parameter <code>item_number</code> is a number and not a string. Otherwise, it is generally easier to output encode as a rule.</li></ul><h2 id="acf4f237-445c-4951-8553-29643b682f8c" data-toc-id="acf4f237-445c-4951-8553-29643b682f8c">Does this Best Practice not protect against any part of a Threat?</h2>XSS Vectors change frequently. There may be attacks that exploit specific browser functionalities or new classes of vectors that emerge. Commerce Cloud's Output Encoding mechanisms mitigate significant classes of XSS attacks in most cases.Input Validation can further protect a site from unexpected inputs, limiting attacks. Additionally, some modern browsers implement automatic XSS protection filtering, which further restricts vulnerable inputs.<h3 id="f43280ad-bb47-4ee0-8563-e3be4e74087c" data-toc-id="f43280ad-bb47-4ee0-8563-e3be4e74087c">Example of Bad Practice</h3>This is a typical example of a vulnerable XSS output vector. A developer may copy code without understanding the side effects. Unfortunately for the business, the code was copied from a bad example where encoding is explicitly turned off:<pre><code class="language-html">Welcome Back &lt;isprint value="${user_name}" encoding="off"/&gt;</code></pre><img src="https://f.ezycourse.net/4154/cm7fa40q007sggj9n4khl9nnh.png" alt="image" style="width: 100%; height: auto; cursor: pointer;" draggable="true">Another bad practice involves <a target="_blank" href="http://dw.io">dw.io</a>.PrintWriter, which does not check the contents before outputting them to HTML:<pre><code class="language-javascript">&lt;isscript&gt;
 out.println("");
 out.println(custom_comment); // allow bolding
 out.println("");
&lt;/isscript&gt;</code></pre><img src="https://f.ezycourse.net/4154/cm7fa59fu07j0kl9ng5dj072f.png" alt="image" style="width: 100%; height: auto; cursor: pointer;" draggable="true">A common anti-pattern is outputting JSON data without encoding:<pre><code class="language-js">&lt;isscript&gt;
 var comments = CustomerHelpers.getCommentsForProduct(product_id);
 var json = JSON.stringify(comments);
&lt;/isscript&gt;</code></pre><img src="https://f.ezycourse.net/4154/cm7fa7s7u07qfhs9nfkmnc4ly.png" alt="image" style="width: 100%; height: auto; cursor: pointer;" draggable="true"><h3 id="501a5200-7099-4e29-8b47-f46f9b525a7b" data-toc-id="501a5200-7099-4e29-8b47-f46f9b525a7b">Example of Best Practice</h3>The first example is a simple fix. The developer can change the encoding option to <code>"on"</code> or remove the encoding attribute entirely, since <code>&lt;isprint /&gt;</code> encodes automatically by default:<pre><code class="language-html">Welcome Back &lt;isprint value="${user_name}" encoding="on"/&gt;
Welcome Back &lt;isprint value="${user_name}"/&gt;</code></pre>To fix the second example, developers should be extremely cautious. The recommended fix is to encode the full value using SecureEncoder:<pre><code class="language-javascript">&lt;isscript&gt;
 out.println("");
 var clean_custom_comment = dw.util.SecureEncoder.forHTMLContent(custom_comment); // disallow all HTML
 out.println(clean_custom_comment);
 out.println("");
&lt;/isscript&gt;</code></pre>For the JSON output case, the correct approach is double encoding. Since this JSON contains comments to be injected into HTML, the first encoding should be for HTML. Then, the data is transferred via JavaScript, so JSON.stringify handles encoding:<pre><code class="language-javascript">&lt;isscript&gt;
 var comments = CustomerHelpers.getCommentsForProduct(product_id);
 for(var key in comments) {
 if(comments.hasOwnProperty(key)) {
 comments[key] = dw.util.SecureEncoder.forJSONValue(comments[key]); // Ensure JSON values are encoded
 }
 }
 var json = JSON.stringify(comments); // turn JSON into a manageable string
&lt;/isscript&gt;</code></pre>👉 More Info on SFCC Security<ul><li><a target="_new" rel="noopener" href="https://sfcclearning.com/infocenter/content/b2c_commerce/topics/b2c_security_best_practices/b2c_cross_site_scripting.php">Security Best Practices for Developers: Cross-Site Scripting</a></li><li><a target="_new" rel="noopener" href="https://sfcclearning.com/infocenter/content/b2c_commerce/topics/b2c_security_best_practices/b2c_data_validation.php">Security Best Practices for Developers: Data Validation</a></li><li><a target="_new" rel="noopener" href="https://sfcclearning.com/infocenter/content/b2c_commerce/topics/site_development/b2c_content_best_practices.php">Template Best Practices</a></li><li><a target="_new" rel="noopener" href="https://sfcclearning.com/infocenter/DWAPI/scriptapi/html/api/class_dw_util_SecureEncoder.php">dw.util.SecureEncoder Class</a></li><li><a target="_new" rel="noopener" href="https://sfcclearning.com/infocenter/content/b2c_commerce/topics/isml/b2c_isprint.php">&lt;isprint&gt; ISML Tag</a></li></ul><hr><h2 id="045b502b-3a53-42ba-8afd-4a65bb02d429" data-toc-id="045b502b-3a53-42ba-8afd-4a65bb02d429">Recommended Courses</h2><ul><li><a target="_blank" href="https://www.sfcclearning.com/course-detail/salesforce-javascript-developer-certified-tests/17822">Salesforce Javascript Developer I - Certification Tests</a></li><li><a target="_blank" href="https://www.sfcclearning.com/course-detail/course-b2c-commerce-developer/17905">Salesforce B2C Commerce Developer - Certification Tests</a></li><li><a target="_blank" href="https://www.sfcclearning.com/course-detail/salesforce-b2c-commerce-architect-certification-tests/17955">Salesforce B2C Commerce Architect - Certification Tests</a></li><li><a target="_blank" href="https://www.sfcclearning.com/course-detail/sfcc-d2c-quick-start-guide/19116">Salesforce Commerce Cloud D2C: Quick Start Guide</a></li></ul>

Discover the key differences between Site Preferences and Organization Preferences in Salesforce B2C Commerce Cloud. Learn how each impacts customization, security, and performance to optimize your e-commerce setup.

Cross-Site Scripting Defense in Salesforce Commerce Cloud

How does this Best Practice protect against Threats?

Does this Best Practice not protect against any part of a Threat?

Discover expert insights, best practices, and in-depth guides on Salesforce Commerce Cloud. Stay ahead with SFCC Success Secrets and optimize your e-commerce strategy today!

Cross-Site Scripting Defense in Salesforce Commerce Cloud

Cross-Site Scripting Defense in Salesforce Commerce Cloud

Related Posts

Backups in SFCC: What You Need to Protect Your Store

How to Properly Import and Manage Pricebooks in Salesforce B2C Commerce

Preparing for a Go Live on Salesforce Commerce Cloud: Lessons from Real Projects

Why You Should Care About High Scale Price Books in Salesforce

Uncomfortable truths about SFCC (no one tells you this)