Content Best Practices

Building a secure custom website with Salesforce B2C Commerce involves paying attention to all areas that are vulnerable to attack and preventing it.

According to Wikipedia, "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy."

"The impact of cross-site scripting carried out on websites can range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner."

To prevent malicious attacks through content manipulation, you must ensure that all shown content is encoded.

If a script expression such as ${pdict.ProductSearchResult.searchPhrase} is used in an ISML template, where the content type is set via the following:

<iscontent type="text/html" charset="UTF-8" compact="true">

The script result is automatically HTML encoded.

But if the same expression is used in an ISML template that is included via <isinclude template=""> and no content type is set in the included ISML snippet, the content type text/plain is assumed and no HTML encoding takes place. This is inconsistent and can lead to XSS problems.

To correct this, you must explicitly set the content type or use <isprint value="{}"/> to ensure the resulting HTML is encoded.

Setting the Content Type

To ensure that a script expression is HTML encoded, you must set the included page's content type to text/html via the following statement:

<iscontent type="text/html" charset="UTF-8" compact="true">
If you include pages, ensure that you set the content type, as described.

Using <isprint>

In SiteGenesis, we have addressed this problem by using the <isprint> element instead of merely using the following:


The <isprint> element ensures that special characters are HTML encoded.

For example:

<isprint value="${pdict.ProductSearchResult.searchPhrase}"/>

results in:

&#39;;alert&#40;&#39;hallo welt!&#39;&#41;;x=&#39;

This notation avoids cross-side scripting attacks, because the alert() function is obfuscated for the browser.

Check all areas in your code where ${pdict.ProductSearchResult.searchPhrase} is used and add the <isprint> function, as described.

Example - searchresultheader.isml

In a customized searchresultheader.isml template, use this:

<span class="term">"
<isif condition="${!empty(pdict.ProductSearchResult.searchPhrase)}">
<isprint value="${pdict.ProductSearchResult.searchPhrase}"/>

Instead of this:

<span class="term">

Related Links

Content Assets

Using Content Link Functions