Back to LinkedIn posts

LinkedIn post 281

About 3 years ago, someone in the UK founded a company and gave it the name “><​SCR...

About 3 years ago, someone in the UK founded a company and gave it the name “><​SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD 😳

He said he thought it would be a playful name for his consulting business. 😜

That name with a quotation mark and chevron would cause issues in any site that didn't properly escape the HTML code. The site would load and execute a script from the XSS Hunter, another site that helps developers expose cross-site scripting (XSS) vulnerabilities by displaying an alert that served as proof of vulnerability.

There was another person who registered ; DROP TABLE "Companies";-- Ltd
which would likely be a problem on some databases if not escaped properly.

Now let's say you have a query in Salesforce looking like this:

List<User> userList =
Database.query(
'SELECT Id FROM User WHERE UserName = \'' + userInput + '\''
);

If you didn't escape that userInput string, someone could maliciously enter
\' OR CreatedDate != null OR Name = \' (single quotes included) to make that query return all users.

The following Trailhead teaches some methods to deal with that threat:
🔗 https://lnkd.in/gjEgrUDY

text