Rule: ApexXSSFromEscapeFalse

Message

Apex classes should escape Strings in error messages

Description

Reports on calls to addError with disabled escaping. The message passed to addError will be displayed directly to the user in the UI, making it prime ground for XSS attacks if unescaped.

Priority

3

Example

public without sharing class Foo {
    Trigger.new[0].addError(vulnerableHTMLGoesHere, false);
}