FAQ-000416 - Component Communication and Data Sharing Security / Data Passing and Input Security

Parameters passed through component APIs are considered user-controllable input because they can come from external sources or user actions, such as URL parameters, cookies, headers, or other user-provided values. Salesforce treats these inputs as potentially untrusted, so they require validation and sanitization to prevent vulnerabilities like SOQL injection attacks, cross-site scripting (XSS), or unauthorized access. Proper handling is essential to maintain application security.

The answer was slightly improved for clarity and accuracy. The original answer mentioned 'injection attacks' generically, but given the Salesforce context and the nature of user-controllable input through component APIs, it's more accurate and helpful to specifically mention 'SOQL injection attacks' as this is the most common injection vulnerability in the Salesforce ecosystem. The phrase 'cross-site scripting (XSS)' was added after SOQL injection to provide specific examples of the injection attack types that are most relevant to Salesforce component development. All security rules selected are directly relevant: ApexSOQLInjection relates to the SOQL injection attacks mentioned in the answer; ApexXSSFromURLParam relates to URL parameters being user-controllable input that can lead to XSS; VfUnescapeEl and ApexXSSFromEscapeFalse both relate to XSS vulnerabilities from improper handling of user-controllable input in components. The FAQ content about 'parameters passed through component APIs' and 'URL parameters, cookies, headers, or other user-provided values' directly relates to these rules since they all deal with securing user-controllable input that comes through various channels including component APIs.