FAQ-001612 - SQL Injection and Input Validation / Input Sanitization and Escaping

Yes, configuration parameters set by users with "Customize Application" permissions should still be escaped if they involve tainted input that could lead to vulnerabilities, such as cross-site scripting (XSS). Even though these users have elevated privileges, proper escaping is recommended for any user-provided or modifiable input to mitigate security risks.

The existing answer is accurate and well-structured, covering the key security principle that escaping should be applied regardless of user permissions. I made a minor improvement to add "Even though these users have elevated privileges" to better clarify why escaping is still necessary despite the high privilege level of users with "Customize Application" permissions. This helps address the implicit assumption in the question that high-privilege users might not need the same security protections. The related rules I selected all directly relate to the core content of this FAQ: ApexXSSFromEscapeFalse deals with XSS vulnerabilities when escape is set to false in Visualforce, which is the exact escaping concept this FAQ discusses. ApexXSSFromURLParam addresses XSS from URL parameters, which represents the type of tainted input the FAQ mentions. VfUnescapeEl covers unescaped expressions in Visualforce that can lead to XSS, directly matching the FAQ's discussion of escaping to prevent XSS vulnerabilities. AvoidUnescapedHtmlInAura deals with unescaped HTML in Aura components, which is another manifestation of the escaping principles this FAQ teaches.