PDI Question #231: Real Exam Question with Answer & Explanation

The correct answer is B: <apex:outputText escape="false" value="{!sCurrentPage.parameters.userInput}TM />. The question asks to identify a Visualforce code snippet that might introduce a security vulnerability, specifically cross-site scripting (XSS).

Submitted by parkjh· Apr 18, 2026User Interface

Question

Which code in a Visualforce page and/or controller might present a security vulnerability?

Options

A<apex:outputfield value="(!ctrl.userinput)" rendered="(!isfditable}" />
B<apex:outputText escape="false" value="{!sCurrentPage.parameters.userInput}TM />
C<apex:outputField value="{'ctrl.userInput}" />
D<apex:outputText value="{!SCurrentPage.parameters.useriInput}" />

Explanation

The question asks to identify a Visualforce code snippet that might introduce a security vulnerability, specifically cross-site scripting (XSS).

Common mistakes.

A. The <apex:outputField> component automatically escapes its output by default, providing protection against XSS vulnerabilities.
C. The <apex:outputField> component automatically escapes its output, protecting against XSS vulnerabilities.
D. The <apex:outputText> component by default has escape="true", meaning it automatically HTML-escapes its output, rendering any malicious script harmlessly as plain text.

Concept tested. Visualforce security and XSS vulnerabilities

Reference. https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_xss.htm

Topics

#Visualforce#Security Vulnerabilities#Cross-Site Scripting (XSS)#apex:outputText

Community Discussion

No community discussion yet for this question.

Full PDI Practice Browse All PDI Questions