FAQ-000787 - External Content and Iframe Security / External Content Rendering and Security

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the security restrictions and guidelines for rendering external content in Salesforce?
Answer
Rendering external content in Salesforce comes with strict security restrictions to maintain data integrity and prevent vulnerabilities: **JavaScript Requirements:** - Must be stored in static resources and cannot be dynamically loaded from third-party servers or executed in the Salesforce domain - Avoid using `document.createElement` for dynamic DOM manipulation; use template directives instead - Do not execute JavaScript in the Salesforce domain to comply with secure coding practices **CSS Guidelines:** - Can be dynamically loaded if an integrity check is implemented - Do not load CSS directly from third-party sources using `<link>` tags - Save third-party CSS files as static resources and reference them securely using `<ltng:require>` in Lightning components **HTML Handling:** - Must be sanitized to ensure no JavaScript event handlers or script tags are present - Avoid generating HTML in the controller and outputting it with `escape=false`, as it can lead to unescaped user data being rendered - If rendering HTML is necessary, ensure proper encoding and sanitization of user-controlled data - Do not import markup from third-party services unless it is sanitized to remove JavaScript event handlers or script tags **Security Practices:** - Proper encoding and sanitation practices must be followed to prevent security vulnerabilities - Prevent XSS by encoding or sanitizing data before rendering it in the UI - Lightning components do not automatically encode HTML, so use secure filters or sanitization libraries for user-controlled data - Adhere to Salesforce's strict CSP, which blocks unsafe inline scripts - Ensure Lightning apps are written for API version 40 or later to leverage LockerService, which enforces security boundaries **General Guidelines:** - Avoid dynamic loading of external content such as JavaScript or CSS from third-party endpoints - Use static resources and save JavaScript and CSS files as static resources within your package - Avoid unapproved CDNs unless they are Salesforce-approved - Remove harmful elements when rendering external content - If dynamic content is necessary, host it externally and embed it using an iframe to prevent association with Salesforce domains

Enhancing FAQ with AI recommendations...

⚠️ Enhancement Error

Error Message
HerokuApiError: Heroku API request failed with status 403: Forbidden at ChatHeroku.postWithRetries (/Users/vivek.soni/work/faqtools/bin/faqenhance/node_modules/heroku-langchain/dist/cjs/model.js:85:27) at process.processTicksAndRejections (node:internal/process/task_queues:104:5) at async ChatHeroku._stream (/Users/vivek.soni/work/faqtools/bin/faqenhance/node_modules/heroku-langchain/dist/cjs/chat.js:648:26) at async ChatHeroku._streamResponseChunks (/Users/vivek.soni/work/faqtools/bin/faqenhance/node_modules/heroku-langchain/dist/cjs/chat.js:717:26) at async ChatHeroku._streamIterator (/Users/vivek.soni/work/faqtools/bin/faqenhance/node_modules/@langchain/core/dist/language_models/chat_models.cjs:111:22)