Salesforce Platform Developer I (legacy) — Question 86

A developer has an Apex controller for a Visualforce page that takes an ID as a URL parameter.
How should the developer prevent a cross site scripting vulnerability?

Answer options

• A. ApexPages.currentPage().getParameters().get('url_param')
• B. String.escapeSingleQuotes(ApexPages.currentPage().getParameters().get('url_param'))
• C. String.ValueOf(ApexPages.currentPage().getParameters().get('url_param'))
• D. ApexPages.currentPage().getParameters().get('url_param').escapeHtml4()

Correct answer: D

Explanation

The correct answer is D because escapeHtml4() properly encodes HTML entities to prevent cross site scripting attacks. Option A does not provide any protection, while option B only escapes single quotes, which is insufficient. Option C simply converts the parameter to a string without any security measures.