Skip to content

[fix] Security Hardening: Fix SOQL Injection & XSS Vulnerabilities, Update API to v65#184

Merged
tprouvot merged 16 commits intomainfrom
fix/securityImprovements
Jan 9, 2026
Merged

[fix] Security Hardening: Fix SOQL Injection & XSS Vulnerabilities, Update API to v65#184
tprouvot merged 16 commits intomainfrom
fix/securityImprovements

Conversation

@tprouvot
Copy link
Collaborator

@tprouvot tprouvot commented Jan 8, 2026

🔒 Security Fixes

This PR addresses multiple critical security vulnerabilities identified in the Action Plans codebase:

1. SOQL Injection Prevention

  • Fixed in: ActionPlansSectionHeaderController.cls
  • Refactored queryRecords() method to use binding variables and type casting
  • Added new searchRecords() method with proper input validation and escaping
  • Prevents dynamic SOQL query construction from user input
  • See: SECURITY_FIX_ANALYSIS.md and SECURITY_FIX_APLightningLookup.md

2. Cross-Site Scripting (XSS) Prevention

  • Fixed in:
    • APLightningLookup.component - Multiple XSS vectors eliminated
    • ActionPlanCreation.page - Template search results now properly escaped
  • All user input and database values are now HTML-escaped before DOM insertion
  • Changed Visualforce remoting from { escape: false } to { escape: true }
  • Implemented jQuery text-based escaping for all dynamic HTML content

3. Sharing Model Improvements

  • Changed ActionPlanCreateInvocable from without sharing to inherited sharing
  • Changed ActionPlansTriggerHandlers from without sharing to inherited sharing
  • Provides flexibility for automation while maintaining security when called from user context
  • Added comprehensive documentation explaining the security implications

🔄 Technical Updates

  • API Version: Upgraded from 62.0 to 65.0 across all metadata (81 files)
  • Test Suite: Added LabsActionPlans.testSuite-meta.xml for organized test execution
  • Bug Fix: Corrected typo in sfdx-project.json ("suppports" → "supports")

📝 Files Changed

  • 81 files modified with 252 insertions and 160 deletions
  • Key components:
    • 1 Apex controller (security refactoring)
    • 2 Apex classes (sharing model updates)
    • 1 Visualforce component (XSS fixes)
    • 1 Visualforce page (XSS fixes)
    • 76 metadata files (API version bump)

🎯 Impact

This PR eliminates critical security vulnerabilities that could allow:

  • SOQL injection attacks
  • Cross-site scripting (XSS) attacks
  • Session hijacking
  • Unauthorized data access

Related PR

Copy of #183 which was closed because of pipeline failure due to the fact it was created from fork

@tprouvot tprouvot requested a review from VinceFINET January 8, 2026 15:17
@tprouvot tprouvot merged commit a009a34 into main Jan 9, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@VinceFINET VinceFINET Awaiting requested review from VinceFINET

Assignees

No one assigned

Labels

cla:signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tprouvot