Hi all. We have now finished the porting of our first process and all is working very well. We did have the system PEN tested and one of the things found is the flowing.
Description
It was found that it is possible to submit valid HTML syntax such as script tags <script></script>
and other possibly harmful characters which may be interpreted as code. Although these characters
are not processed as code in the tested Workflow web application, if this data is used in another web
application that is inadvertently vulnerable to a flaw such as Cross-Site Scripting, an attack would be
successful.
Input sanitization is an approach to data handling that deliberately removes or replaces potential code
syntax from user input that is received by an application. This includes special characters such as
’<’, ’>’, ’/’. For example, submitting <script>alert(document.cookie)</script> could display the
session cookie in a web application vulnerable to Cross-Site Scripting.
Business Impact
If the attacker is able to submit script tags and HTML tags, this could allow the attacker to see hidden
parameters and execute arbitrary code within the user’s browser.
Attack Prerequisites
An attacker needs basic knowledge of JavaScript and HTML.
So my question is. Is there a easy way in Apex it self to strip input data of HTML and Javascript code ?