FAQ-001123 - Lightning Web Components and JavaScript Security / Component Design and Security Compliance

To resolve JavaScript context and security issues in Salesforce applications: **For "JavaScript not allowed in context" issues:** 1. **Use Static Resources**: Store all JavaScript code in static resources, not loaded from third-party servers. Reference these files using the `$Resource` URL in Visualforce, Aura, or Lightning Web Components. 2. **Avoid Inline JavaScript**: Don't execute JavaScript directly in the Salesforce domain, such as in custom buttons, homepage components, or S-controls. 3. **Embed Dynamic Content Securely**: If dynamic content is necessary, host it externally and embed it in an iframe within a Visualforce page to comply with Salesforce security policies. **General JS-related security requirements:** - **Avoid Third-Party JS from CDNs**: Dynamically loading third-party JavaScript files from content delivery networks (CDNs) isn't allowed. Instead, include the code in your package's static resources folder. - **Proper Origin for JS Code**: Make sure JavaScript code from multiple vendors runs in the correct origin using Visualforce, Aura, or Lightning Web Components. Don't attempt to break out of a sandbox or execute code outside your origin. - **No Sensitive Data in Debug Statements**: Don't expose secret data, sensitive information, passwords, keys, or stack traces in production environments through debug statements. - **Sanitize Lightning Component Attributes**: Prevent unsafe attributes like `href` or `frame src` from being injected into the DOM by sanitizing attribute values. - **Encoding in Visualforce Pages**: Avoid using the `escape="false"` attribute unless the output is correctly encoded in the controller or is a custom label. These practices help mitigate risks like cross-site scripting and help you meet secure coding standards.

The changes made focus on improving tone and clarity while preserving all technical content. Key improvements include: 1) Changed 'Ensure all JavaScript code is stored' to 'Store all JavaScript code' for more direct, conversational language. 2) Replaced 'are not loaded' with 'not loaded' to match the FAQ's conversational tone. 3) Changed 'Do not execute' to "Don't execute' using contractions per style guidelines. 4) Simplified 'is not allowed' to "isn't allowed' for better readability. 5) Changed 'Ensure JavaScript code' to 'Make sure JavaScript code' for more natural language. 6) Updated 'Do not attempt' to "Don't attempt' for consistency. 7) Replaced 'Do not expose' with "Don't expose' maintaining conversational tone. 8) Changed 'ensure compliance' to 'help you meet' for more positive, user-focused language. All technical information remains exactly the same. Regarding security rules selected: LoadJavaScriptIncludeScript and LoadJavaScriptHtmlScript relate to the FAQ's guidance about using static resources instead of loading JS from external sources. AvoidJavaScriptCustomObject, AvoidJavaScriptWebLink, AvoidJavaScriptHomePageComponent, AvoidJavaScriptInUrls, and AvoidSControls all connect to the FAQ's advice about avoiding inline JavaScript in various Salesforce contexts like custom buttons, homepage components, and S-controls. ApexXSSFromEscapeFalse directly relates to the FAQ's point about avoiding escape='false' in Visualforce pages. AvoidUnescapedHtmlInAura connects to the sanitization guidance for Lightning components. AvoidCreateElementScriptLinkTag relates to the overall guidance about proper JavaScript handling. AvoidAuraWithLockerDisabled and AvoidHardCodedCredentialsInAura relate to the security requirements for Aura components mentioned in the FAQ. @lwc/lwc/no-inner-html connects to the DOM injection prevention guidance for Lightning Web Components.