FAQ-001114 - Lightning Web Components and JavaScript Security / Apex Integration and Server-Side Security

To address security concerns about `@AuraEnabled` methods and securely pass dynamic data from Apex to JavaScript, follow these best practices: **Securing @AuraEnabled Methods:** 1. **Enforce User Mode**: Use `WITH USER_MODE` for SOQL queries or `AccessLevel.USER_MODE` for Database methods to ensure CRUD/FLS checks are applied, preventing unauthorized access to objects and fields. 2. **Restrict Access**: Only expose `@AuraEnabled` methods when necessary. Remove the annotation if the method doesn't need to be accessible. 3. **Validate Inputs**: Validate all parameters passed to `@AuraEnabled` methods to prevent injection vulnerabilities. 4. **Use Sharing Rules**: Declare classes as "with sharing" to enforce sharing rules and restrict unauthorized data access. 5. **Limit Exposure**: Protect methods with appropriate permission sets or profiles to ensure only privileged users can access them. **Securely Passing Dynamic Data:** 1. **Encode Data in Apex**: Use encoding functions like `JSENCODE`, `HTMLENCODE`, or `URLENCODE` in your Apex controller to prevent injection attacks. 2. **Use JSON Format**: Store the encoded data in a JSON object and pass it to the JavaScript through a Visualforce page or Lightning component. 3. **Handle Data Safely in JavaScript**: In your JavaScript file, parse and handle the data securely. Avoid directly injecting it into the DOM using methods like `innerHTML`. Instead, use safer alternatives like `textContent` or `setAttribute`. 4. **Avoid Unescaped Data**: Don't use the `escape="false"` attribute in Visualforce unless absolutely necessary. If you must, ensure the data is sanitized in the Apex controller. These practices help mitigate security risks like cross-site scripting (XSS) and ensure compliance with Salesforce's security standards.

The main update needed was to modernize the security enforcement guidance in point 1 to prioritize modern features. The original text mentioned 'user mode for SOQL queries' which was updated to specifically reference 'WITH USER_MODE for SOQL queries or AccessLevel.USER_MODE for Database methods' to align with current best practices as outlined in the security approaches guidelines. A minor stylization improvement was made in point 4 to change 'Do not use' to 'Don't use' for more conversational tone. The security rules selected relate directly to the FAQ content: ApexCRUDViolation relates to point 1 about enforcing CRUD/FLS checks through user mode; ApexSharingViolations relates to point 4 about using 'with sharing' declarations; ApexXSSFromEscapeFalse relates to point 4 about avoiding escape='false' in Visualforce; ApexXSSFromURLParam relates to the encoding practices in point 1 of the dynamic data section; VfUnescapeEl relates to point 4 about unescaped data in Visualforce; ApexSOQLInjection relates to point 3 about validating inputs to prevent injection vulnerabilities.