FAQ-001129 - Lightning Web Components and JavaScript Security / Data Sanitization and Escaping

**For aura:unescapedHtml:** To properly sanitize data for use with `aura:unescapedHtml` in Salesforce: 1. **Sanitize User Inputs**: Ensure all user-supplied inputs are sanitized to prevent cross-site scripting (XSS) vulnerabilities. 2. **Avoid Usage if Possible**: Only use `aura:unescapedHtml` when absolutely necessary. 3. **Server-Side Sanitization**: Sanitize the input data on the server side before rendering it in the component. 4. **Use Encoding Functions**: Leverage encoding functions or trusted third-party libraries to ensure the data is safe. 5. **Avoid Unsafe HTML**: Do not generate HTML in Apex classes, and ensure no JavaScript event handlers or `<script>` tags are present in the HTML being rendered. **For LWC Escaping Vulnerabilities:** Developers should handle Lightning Web Component escaping vulnerabilities by: 1. **Including Third-Party Libraries as Static Resources**: Always include third-party JavaScript libraries as static resources within the package. Avoid dynamically loading them from external sources to ensure security and version control. 2. **Sanitizing or Encoding User-Controlled Data**: Before rendering any user-controlled data in the component, sanitize or encode it to prevent cross-site scripting (XSS) vulnerabilities. 3. **Handling Unsafe Attributes**: If using attributes that could be unsafe: - Refactor the expression language to ensure safety - Create sanitized variables in the controller - Use custom rendering with proper sanitization **Documentation Resources:** Developers can find documentation and examples for proper data escaping in: - Salesforce Secure Coding Guide for Lightning Security - OWASP Cross-Site Scripting Prevention Cheat Sheet - Salesforce Secure Filters GitHub Repository These practices help maintain the security of your Lightning components.