From 5e50b16e056b017d8e42c9cec896b14918c1c320 Mon Sep 17 00:00:00 2001 From: Peter Chittum Date: Tue, 30 Jun 2020 08:15:25 +0100 Subject: [PATCH 1/3] [visualforce] added new global variable name to safe resources Cherry-picked from 25cb8de645e0c016a99a933950bffdc996d74b39 --- .../sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java | 1 + 1 file changed, 1 insertion(+) diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java index 948f4264aa..4c041e5296 100644 --- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java +++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java @@ -296,6 +296,7 @@ public class VfUnescapeElRule extends AbstractVfRule { case "$objecttype": case "$component": case "$remoteaction": + case "$messageservice": return true; default: From 2fb196b16a0179b1830db129c59011fffd755799 Mon Sep 17 00:00:00 2001 From: Peter Chittum Date: Tue, 30 Jun 2020 08:18:45 +0100 Subject: [PATCH 2/3] [visualforce] added new global variable name to safe resources Cherry-picked from 7f0f91f71aac132e3c5ddd9ce397c73f19ebb04e --- .../sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java index 4c041e5296..51817b896c 100644 --- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java +++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java @@ -296,7 +296,7 @@ public class VfUnescapeElRule extends AbstractVfRule { case "$objecttype": case "$component": case "$remoteaction": - case "$messageservice": + case "$messagechannel": return true; default: From d89a6d080d8151330b4508d212043fd9dfcab0a1 Mon Sep 17 00:00:00 2001 From: Andreas Dangel Date: Thu, 9 Jul 2020 12:11:33 +0200 Subject: [PATCH 3/3] [visualforce] Add test for VfUnescapeEl with $MessageChannel --- docs/pages/release_notes.md | 4 ++++ .../pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml | 13 +++++++++++++ 2 files changed, 17 insertions(+) diff --git a/docs/pages/release_notes.md b/docs/pages/release_notes.md index c1806b1dab..e66a576c54 100644 --- a/docs/pages/release_notes.md +++ b/docs/pages/release_notes.md @@ -18,10 +18,14 @@ This is a {{ site.pmd.release_type }} release. * apex-bestpractices * [#2626](https://github.com/pmd/pmd/issues/2626): \[apex] UnusedLocalVariable - false positive on case insensitivity allowed in Apex +* apex-security + * [#2620](https://github.com/pmd/pmd/issues/2620): \[visualforce] False positive on VfUnescapeEl with new Message Channel feature ### API Changes ### External Contributions +* [#2621](https://github.com/pmd/pmd/pull/2621): \[visualforce] add new safe resource for VfUnescapeEl - [Peter Chittum](https://github.com/pchittum) + {% endtocmaker %} diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml index 7e57ba6eb9..aec8e5e7d8 100644 --- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml +++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml @@ -537,4 +537,17 @@ ]]> + + + Support new message channel feature #2620 + 0 + + // Binding message channel to variable accessible to static resource. + window.util = { + messageChannel: '{!$MessageChannel.Record_Selected__c}' + }; + + ]]> +