- Home
- Salesforce
- Salesforce Certified Platform Developer I
- Salesforce.CRT-450.v2024-07-02.q97
- Question 34
Valid CRT-450 Dumps shared by ExamDiscuss.com for Helping Passing CRT-450 Exam! ExamDiscuss.com now offer the newest CRT-450 exam dumps, the ExamDiscuss.com CRT-450 exam questions have been updated and answers have been corrected get the newest ExamDiscuss.com CRT-450 dumps with Test Engine here:
Access CRT-450 Dumps Premium Version
(205 Q&As Dumps, 35%OFF Special Discount Code: freecram)
<< Prev Question Next Question >>
Question 34/97
A developer has a Apex controller for a Visualforce page that takes an ID as a URL parameter. How should the developer prevent a cross site scripting vulnerability?
Correct Answer: C
Cross site scripting (XSS) is a vulnerability that occurs when an attacker can insert unauthorized HTML or JavaScript code into a web page viewed by other users. This can lead to hijacking the user's session, stealing confidential information, or defacing the page. To prevent XSS, the developer should always validate and encode any user-supplied data before displaying it on the page. The ApexPages.currentPage() .getParameters()
.get('url_param') method returns the value of the URL parameter as a string, but does not perform any validation or encoding. Therefore, it is vulnerable to XSS if the parameter contains malicious code. The ApexPages.currentPage() .getParameters() .get('url_param') .escapeHtml4() method escapes the HTML characters in the parameter value, such as <, >, &, and ", but does not prevent JavaScript code from being executed. Therefore, it is also vulnerable to XSS if the parameter contains a script tag or an event handler attribute. The String.escapeSingleQuotes(ApexPages.currentPage() .getParameters(). get('url_param')) method escapes the single quotes in the parameter value, but does not affect any other characters. Therefore, it is also vulnerable to XSS if the parameter contains any HTML or JavaScript code. The String.ValueOf(ApexPages.currentPage() .getParameters() .get('url_param')) method converts the parameter value to a string and encodes any HTML characters as HTML entities, such as <, >, &, and ". This prevents any HTML or JavaScript code from being rendered or executed on the page. Therefore, it is the best option to prevent XSS. References: You can learn more about XSS and how to prevent it in Apex from the following sources:
* Cross Site Scripting (XSS) | Apex Developer Guide
* Secure Coding Cross Site Scripting | Secure Coding Guide
* Cross-Site Scripting in Apex | SecureFlag Security Knowledge Base
.get('url_param') method returns the value of the URL parameter as a string, but does not perform any validation or encoding. Therefore, it is vulnerable to XSS if the parameter contains malicious code. The ApexPages.currentPage() .getParameters() .get('url_param') .escapeHtml4() method escapes the HTML characters in the parameter value, such as <, >, &, and ", but does not prevent JavaScript code from being executed. Therefore, it is also vulnerable to XSS if the parameter contains a script tag or an event handler attribute. The String.escapeSingleQuotes(ApexPages.currentPage() .getParameters(). get('url_param')) method escapes the single quotes in the parameter value, but does not affect any other characters. Therefore, it is also vulnerable to XSS if the parameter contains any HTML or JavaScript code. The String.ValueOf(ApexPages.currentPage() .getParameters() .get('url_param')) method converts the parameter value to a string and encodes any HTML characters as HTML entities, such as <, >, &, and ". This prevents any HTML or JavaScript code from being rendered or executed on the page. Therefore, it is the best option to prevent XSS. References: You can learn more about XSS and how to prevent it in Apex from the following sources:
* Cross Site Scripting (XSS) | Apex Developer Guide
* Secure Coding Cross Site Scripting | Secure Coding Guide
* Cross-Site Scripting in Apex | SecureFlag Security Knowledge Base
- Question List (97q)
- Question 1: A developer is creating a test coverage for a class and need...
- Question 2: When a user edits the Postal Code on an Account, a custom Ac...
- Question 3: What is an example of a polymorphic lookup field in Salesfor...
- 3 commentQuestion 4: AW Computing tracks order information in custom objects call...
- Question 5: A company has been adding data to Salesforce and has not don...
- Question 6: Since Aura application events follow the traditional publish...
- Question 7: The following automations already exist on the Account objec...
- Question 8: The Job_Application__c custom object has a field that is a M...
- Question 9: A developer created a trigger on the Account object. While t...
- 2 commentQuestion 10: Refer to the following code snippet for an environment has m...
- Question 11: Universal Containers stores the availability date on each Li...
- Question 12: Universal Containers wants to automatically assign new cases...
- Question 13: A developer is designing a new application on the Salesforce...
- Question 14: Universal Containers wants to ensure that all new leads crea...
- Question 15: A developer is creating a page that allows users to create m...
- Question 16: Universal Containers implemented a private sharing model for...
- Question 17: Universal Container uses Service Cloud with a custom field, ...
- Question 18: Universal Containers has an order system that uses an Order ...
- Question 19: A developer is alerted to an issue with a custom Apex trigge...
- Question 20: A developer wants to mark each Account in a List<Account&...
- Question 21: A developer created these three Rollup Summary fields in the...
- Question 22: A developer is writing tests for a class and needs to insert...
- Question 23: Which statement should be used to allow some of the records ...
- Question 24: A developer created a Lightning web component called statusC...
- 1 commentQuestion 25: A developer writes a trigger on the Account object on the be...
- Question 26: A custom Visualforce controller calls the ApexPages,addMessa...
- 2 commentQuestion 27: Consider the following code snippet for a Visualforce page t...
- Question 28: A company decides to implement a new process where every tim...
- 3 commentQuestion 29: A developer wrote an Apex method to update a list of Contact...
- 4 commentQuestion 30: A developer wants to import 500 Opportunity records into a s...
- Question 31: A developer must perform a complex SOQL query that joins two...
- 3 commentQuestion 32: What are three considerations when using the @InvocableMetho...
- 1 commentQuestion 33: Given the following Apex statement: (Exhibit) What occurs wh...
- 1 commentQuestion 34: A developer has a Apex controller for a Visualforce page tha...
- Question 35: Which three resources in an Azure Component can contain Java...
- Question 36: n org has an existing flow that creates an Opportunity with ...
- Question 37: A developer wrote Apex code that calls out to an external sy...
- 2 commentQuestion 38: Which exception type cannot be caught?...
- 2 commentQuestion 39: An Apex method, getAccounts, that returns a list of Accounts...
- Question 40: When a user edits the Postal Code on an Account, a custom Ac...
- 2 commentQuestion 41: Which annotation exposes an Apex class as a RESTful web serv...
- 1 commentQuestion 42: A developer created a trigger on a custom object. This custo...
- Question 43: While working in a sandbox, an Apex test fails when run in t...
- 1 commentQuestion 44: Universal Containers has a support process that allows users...
- Question 45: If apex code executes inside the execute() method of an Apex...
- Question 46: Which scenario is valid for execution by unit tests?...
- Question 47: Which two are best practices when it comes to component and ...
- Question 48: How does the Lightning Component framework help developers i...
- Question 49: A company has a custom object, Order__c, that has a required...
- Question 50: A developer needs to create a baseline set of data (Account,...
- 1 commentQuestion 51: In the Lightning UI, where should a developer look to find i...
- Question 52: A developer is migrating a Visualforce page into a Lightning...
- 1 commentQuestion 53: A developer is implementing an Apex class for a financial sy...
- Question 54: Which statement describes the execution order when trigger a...
- 1 commentQuestion 55: An org tracks customer orders on an Order object and the ite...
- Question 56: Universal Containers wants a list button to display a Visual...
- Question 57: As part of new feature development, a developer is asked to ...
- Question 58: A Salesforce Administrator used Flow Builder to create a flo...
- Question 59: What should a developer use to script the deployment and uni...
- Question 60: A credit card company needs to implement the functionality f...
- Question 61: Universal Container wants Opportunities to no longer be edit...
- Question 62: In the following example, which sharing context will myMetho...
- 2 commentQuestion 63: Which statement generates a list of Leads and Contacts that ...
- Question 64: How is a controller and extension specified for a custom obj...
- Question 65: What can be used to override the Account's standard Edit but...
- Question 66: Given the following code snippet, that is part of a custom c...
- Question 67: What should be used to create scratch orgs?...
- 2 commentQuestion 68: Which three data types can a SOQL query return? Choose 3 ans...
- Question 69: A developer creates a batch Apex job to update a large numbe...
- Question 70: Which Lightning Web Component custom event property settings...
- 3 commentQuestion 71: Which three resources in an Aura component can contain JavaS...
- 3 commentQuestion 72: Managers at Universal Containers want to ensure that only de...
- Question 73: In terms of the MVC paradigm, what are two advantages of imp...
- Question 74: Universal Container* decides to use purely declarative devel...
- Question 75: A development team wants to use a deployment script to autom...
- 1 commentQuestion 76: Einstein Next Best Action Is configured at Universal Contain...
- Question 77: What are three ways for a developer to execute tests in an o...
- Question 78: A developer must troubleshoot to pinpoint the causes of perf...
- Question 79: Universal Containers has a Visualforce page that displays a ...
- Question 80: An org has an existing Flow that creates an Opportunity with...
- 2 commentQuestion 81: Which three statements are true regarding custom exceptions ...
- 2 commentQuestion 82: What is the result of the following code?...
- Question 83: Developers at Universal Containers (UC) use version control ...
- Question 84: For which three items can 2 trace flag be configured? Choose...
- Question 85: Which salesforce org has a complete duplicate copy of the pr...
- 1 commentQuestion 86: How can a developer check the test coverage of active Proces...
- Question 87: A developer Is Integrating with a legacy on-premise SQL data...
- Question 88: Universal Container wants Opportunities to no longer be edit...
- Question 89: What are two benefits of using declarative customizations ov...
- 1 commentQuestion 90: What are two considerations for running a flow in debug mode...
- Question 91: Universal Containers has implemented an order management app...
- Question 92: A developer must implement a CheckPaymentProcessor class tha...
- Question 93: Which code displays the contents of a Visualforce page as a ...
- Question 94: Cloud Kicks Fitness, an ISV Salesforce partner, is developin...
- Question 95: Universal Container(UC) wants to lower its shipping cost whi...
- Question 96: When importing and exporting data into Salesforce, which two...
- 2 commentQuestion 97: What are two considerations for deploying from a sandbox to ...
Recent Comments (The most recent comments are at the top.)
the correct answer is B :
uses the escapeHtml4() method, which is specifically designed to escape characters that could be used in cross-site scripting attacks by converting them to their HTML entity equivalents. This method helps to neutralize potential XSS vectors by ensuring that characters like " <, >, &" and others are rendered harmless in HTML contexts.