generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute
semgrep
Author
unknown
Download Count*
License
Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.
Run Locally
Run in CI
Defintion
rules:
- id: csp-header-attribute
languages:
- generic
severity: INFO
message: Visualforce Pages must have the cspHeader attribute set to true. This
attribute is available in API version 55 or higher.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm&type=5
category: security
subcategory:
- vuln
technology:
- salesforce
- visualforce
cwe2022-top25: true
cwe2021-top25: true
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
patterns:
- pattern: <apex:page...>...</apex:page>
- pattern-not: <apex:page...cspHeader="true"...>...</apex:page>
- pattern-not: <apex:page...>...<!--deprecated-->...</apex:page>
- pattern-not: <apex:page...>...<!-- deprecated -->...</apex:page>
paths:
include:
- "*.page"
Examples
CSPHeaderAttribute.page
<!-- ruleid: csp-header-attribute -->
<apex:page docType="html-5.0" sidebar="false" standardController="Account" extensions="DefaultAppController, TemplateController">
<apex:slds />
<nFORCE:Include_SLDS_A11y_Overrides />
</apex:page>
<!-- ruleid: csp-header-attribute -->
<apex:page>
</apex:page>
<!-- ruleid: csp-header-attribute -->
<apex:page docType="html-5.0" sidebar="false" controller="AdministrationController" cspHeader="false">
<apex:composition template="Template_Base">
<apex:define name="topbar">
<apex:include pageName="{!IF(isNull(route.Topbar__c),'nFORCE__InvalidRouteConfiguration',route.Topbar__c)}" />
</apex:define>
<apex:define name="navigation">
<apex:include pageName="{!IF(isNull(route.Navigation__c),'nFORCE__InvalidRouteConfiguration',route.Navigation__c)}" />
</apex:define>
<apex:define name="subNavigation">
<apex:include pageName="{!IF(isNull(route.Sub_Navigation__c),'nFORCE__InvalidRouteConfiguration',route.Sub_Navigation__c)}"
/>
</apex:define>
<apex:define name="body">
<apex:include pageName="{!IF(isNull(route.Body__c),'nFORCE__InvalidRouteConfiguration',route.Body__c)}" />
</apex:define>
</apex:composition>
</apex:page>
<!-- ok: csp-header-attribute -->
<apex:page docType="html-5.0" cspHeader="true">
<c:ManagePermissionSets />
</apex:page>
<!-- ok: csp-header-attribute -->
<apex:page>
<!--deprecated-->
</apex:page>
<!-- ok: csp-header-attribute -->
<apex:page>
<!--deprecated-->
</apex:page>
<!-- ok: csp-header-attribute -->
<apex:page>
<!-- deprecated -->
</apex:page>
<!-- ok: csp-header-attribute -->
<apex:page>
<!-- deprecated -->
</apex:page>
Short Link: https://sg.run/yoj8