Security Scanner finds XSS False Positives / JSENCODE incompatible with Boolean fields?

Before I submit my app for Security Review I checked it with the free scanner.
It marked the following line of JS-code in a Visualforce as Critical XSS vulnerability:

<script>var trueOrFalse = '{!MyObject__c.chk_CheckboxField__c}';</script>

As far as I know I cannot go into security review with such findings, although this is a False Positive as the report mentions.
How can I cure this efficiently?

<script>var trueOrFalse = '{!JSENCODE(MyObject__c.chk_CheckboxField__c)}';</script>

does not work as JSENCODE expects text and not boolean.

<script>var trueOrFalse = '{!JSENCODE(TEXT(MyObject__c.chk_CheckboxField__c))}';</script>

also doesn’t work, as TEXT() not accepts Boolean values.

What should I do?

Answer

You do not need to rewrite the code to eliminate scanner false positives — there will always be false positives.

However, if you want to rewrite the code, then you can replace a boolean with a text literal and then cast to a Bool.

<script>
var foo = Boolean('{!JSENCODE(IF(MyObject__c.chk_CheckboxField__c,"true", "false"))}'); //absurd way to quiet scanner
</script>

As an aside, in the next iteration of the rules, this false positive should be taken care of.

Attribution
Source : Link , Question Author : Robert Sösemann , Answer Author : Robert Sussland

Leave a Comment