Reading list Switch to dark mode

    What is Cross-Site Scripting?

    Updated 26 July 2017

    In this blog, we will learn about cross-site scripting. Let’s start with what is cross-site scripting.

    What is Cross-Site Scripting?

    Cross-Site Scripting or XSS allows an attacker to destroy your existing project, or take advantage of it. XSS injection can be possible when there is a scope for the attacker to insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page. It could provide the attacker any confidential data, which might cause loss of valuable information.

    What are the Types of XSS Attacks

    There are following types of XSS attacks:

    Stored XSS : If we provide a platform to an end user, through which we can save information provided by them to the database. It gives the attacker an aperture to cause harm to our system and sneak some valuable information, making us vulnerable.

    Reflected XSS : The malicious information sent through URL parameter, are reflected XSS.

    Searching for an experienced
    Salesforce Company ?
    Find out More

    DOM-based XSS : It refer to making changes in DOM at the client side. The server side web page does not change but executes in the way that is not intended.

    Impact of XSS

    There are following impacts of XSS:

    1) Arbitrary Requests : The hacker can use XSS to send request to get information from the user end.
    2) Malware Download : Sometimes we get some spam mail, through which malware could be downloaded.
    3) Log keystrokes : The attacker could identify key-strokes to get username and password to log in future.


    Let us visualize the concept of XSS in Salesforce through an example. Create a new visualforce page and write the following code:

    <apex:page >
        <!-- XSSDemo -->
             * Webkul Software.
             * @category  Webkul
             * @author    Webkul
             * @copyright Copyright (c) 2010-2016 Webkul Software Private Limited (
             * @license
      <div id='container'></div>
          document.querySelector('#container').innerHTML='You searched for <b>{!$CurrentPage.parameters.param}</b>';

    As you can notice current page parameter “param” is reflected in the page. Let us pass a string parameter ex-‘account’ through the url as following:


    We will get desired output:

    Now let us pass an incorrect parameter as following:


    We will get the distorted output:

    Example shared above is concerned with Reflected XSS.


    That’s all for cross-site scripting, still, if you have any issue feel free to add a ticket and let us know your views to make it better


    . . .

    Leave a Comment

    Your email address will not be published. Required fields are marked*

    Be the first to comment.

    Back to Top

    Message Sent!

    If you have more details or questions, you can reply to the received confirmation email.

    Back to Home

    Table of Content