Before I submit my app for Security Review I checked it with the free scanner.
It marked the following line of JS-code in a Visualforce as Critical XSS vulnerability:<script>var trueOrFalse = '{!MyObject__c.chk_CheckboxField__c}';</script>As far as I know I cannot go into security review with such findings, although this is a False Positive as the report mentions.
How can I cure this efficiently?<script>var trueOrFalse = '{!JSENCODE(MyObject__c.chk_CheckboxField__c)}';</script>does not work as JSENCODE expects text and not boolean.
<script>var trueOrFalse = '{!JSENCODE(TEXT(MyObject__c.chk_CheckboxField__c))}';</script>also doesn’t work, as TEXT() not accepts Boolean values.
What should I do?
Answer
You do not need to rewrite the code to eliminate scanner false positives — there will always be false positives.
However, if you want to rewrite the code, then you can replace a boolean with a text literal and then cast to a Bool.
<script>
var foo = Boolean('{!JSENCODE(IF(MyObject__c.chk_CheckboxField__c,"true", "false"))}'); //absurd way to quiet scanner
</script>
As an aside, in the next iteration of the rules, this false positive should be taken care of.
Attribution
Source : Link , Question Author : Robert Sösemann , Answer Author : Robert Sussland