FAQ-001654 - Salesforce Platform Security Responsibility / Uncategorized

# Addressing Security Findings Related to Standard Salesforce Functionality When a security finding references standard Salesforce components, Salesforce-provided JavaScript libraries, or core platform functionality, first determine whether the issue is caused by partner-controlled code or by Salesforce-managed functionality. ## Standard Salesforce Components If the finding originates from Salesforce-managed components and your package doesn't control the input or rendering, document it as a false positive with evidence and justification. If your code interacts with the component, ensure: - Proper CRUD/FLS enforcement - Input validation and output encoding - No unsafe DOM manipulation or bypass of platform security features Partners can't modify standard components and are responsible only for safe usage, not platform implementation. ## Standard Salesforce JavaScript Libraries If the finding references Salesforce-provided libraries, confirm they're not bundled or altered by your package. Document the issue as a platform-related false positive and include references to Salesforce documentation if available. Ensure your code doesn't misuse the library in a way that introduces risk. (Third-party libraries used by the package must be bundled as static resources and kept up to date.) ## Core Platform Functionality Findings related solely to Salesforce core behavior are out of scope for AppExchange Security Review. Document them as false positives, including screenshots, reproduction steps, and an explanation that the behavior is Salesforce-controlled.

I made minor improvements to make the language more conversational and direct by using contractions (doesn't, can't, don't) and simplifying complex phrases. These changes align with the voice and tone guidelines while preserving all existing content and structure. Regarding the related security rules, I selected rules that directly relate to the security concepts discussed in this FAQ: - ApexCRUDViolation: The FAQ explicitly mentions 'Proper CRUD/FLS enforcement' as a responsibility when partner code interacts with standard components - ApexSharingViolations: Related to the sharing/access control aspects mentioned in the CRUD/FLS enforcement point - ApexXSSFromEscapeFalse and ApexXSSFromURLParam: The FAQ mentions 'input validation and output encoding' which directly relates to preventing XSS vulnerabilities - VfUnescapeEl: Also relates to the output encoding mentioned in the FAQ - ApexSOQLInjection: Connected to the 'input validation' requirement mentioned in the FAQ - ApexOpenRedirect: Part of the broader input validation and security practices the FAQ discusses when ensuring safe usage of platform components