FAQ-000415 - Component Communication and Data Sharing Security / Data Passing and Input Security

Data passed between components is considered a security risk in Salesforce under these circumstances: 1. **Insufficient Escaping**: When input isn't properly sanitized, it can lead to vulnerabilities like cross-site scripting (XSS) attacks. 2. **Unsafe Attribute Handling**: Injecting user data into the DOM using methods like `setAttribute` or `innerHTML` without sanitization can result in exploitation. 3. **Unsecured Communication**: Transmitting data without secure protocols (e.g., HTTPS) can expose sensitive information. 4. **Improper Storage**: Storing sensitive data (e.g., OAuth tokens, API keys) insecurely increases the risk of unauthorized access. 5. **Dynamic Resource Loading**: Loading JavaScript or CSS dynamically from third-party endpoints instead of static resources can introduce vulnerabilities. 6. **Cross-Origin Risks**: Interacting with external applications or using iframes without proper security measures can create risks. 7. **Debugging and Logging**: Logging sensitive data in debug statements or passing it in URLs can expose it to unauthorized access. Adhering to secure coding practices, along with proper validation, sanitization, and encryption, is essential to mitigate these risks.

I made one small clarification in point 2, changing 'textContent' to 'innerHTML' because textContent is actually a safer method for setting plain text content, while innerHTML is the DOM method that poses XSS risks when used with unsanitized user input. This aligns better with the security rules that focus on preventing HTML injection vulnerabilities. For the related security rules, each one directly corresponds to risks mentioned in the FAQ: - ApexXSSFromEscapeFalse and ApexXSSFromURLParam relate to point 1 about insufficient escaping and XSS attacks - VfUnescapeEl and AvoidUnescapedHtmlInAura also relate to point 1 regarding proper escaping in Visualforce and Aura components - @lwc/lwc/no-inner-html relates to point 2 about unsafe DOM manipulation methods like innerHTML - ApexInsecureEndpoint relates to point 3 about unsecured communication protocols - ApexSOQLInjection relates to the general concept of input sanitization mentioned in point 1 - AvoidHardcodedCredentialsInFieldDecls and AvoidHardcodedCredentialsInVarDecls relate to point 4 about improper storage of sensitive data like API keys - AvoidCreateElementScriptLinkTag and LoadJavaScriptIncludeScript relate to point 5 about dynamic resource loading of JavaScript from external sources