FAQ-000455 - Custom Button and JavaScript Security / JavaScript Button Alternatives

Secure alternatives to using JavaScript in custom buttons, list view buttons, and detail page buttons include: - **Visualforce Pages**: Use these to create custom buttons and functionality with secure implementations. - **Aura Components**: Leverage Lightning components for modern and secure implementations. - **Lightning Web Components (LWCs)**: Provide secure and supported ways to achieve desired functionality within the Salesforce platform. - **Visualforce Area Components**: Use these to decorate page layouts with custom buttons. Additional security guidelines: - Include all scripts in static resources within the app's namespace. - Don't load JavaScript from external web servers or third-party sources. - Ensure compliance with Salesforce's security guidelines for a fully analyzable and secure implementation. - Don't use JavaScript buttons directly to ensure compliance and security.

Made minor tone improvements to align with the brand guidelines by: 1) Changing 'Avoid loading JavaScript' to 'Don't load JavaScript' for more conversational tone, and 2) Changing 'Avoid using JavaScript buttons' to 'Don't use JavaScript buttons' for consistency and directness. These changes maintain the exact same meaning and technical accuracy while improving readability per the style guide that recommends conversational language over formal corporate terminology. For the security rules selected: - AvoidJavaScriptCustomObject: Directly relates to the FAQ's discussion of avoiding JavaScript in custom buttons, as custom buttons are often associated with custom objects. The FAQ explicitly states 'Avoid using JavaScript buttons directly' which aligns with this rule's purpose. - AvoidJavaScriptWebLink: Connects to the FAQ's guidance on avoiding JavaScript in buttons, as web links and buttons share similar security concerns. The FAQ's recommendation to use secure alternatives instead of JavaScript buttons matches this rule's intent. - AvoidJavaScriptInUrls: Relates to the FAQ's security guidance about avoiding JavaScript implementations in favor of secure alternatives, as URLs in buttons can contain JavaScript that should be avoided. - AvoidJavaScriptHomePageComponent: While the FAQ doesn't specifically mention home page components, the broader principle of avoiding JavaScript in favor of secure alternatives (Visualforce, Aura, LWC) applies to all component types including home page components.