Digby.  Thanks for brining this issue to our attention.  We take security issues very seriously and want to get to the bottom of what is going on.

We have some follow up questions that we are going to send you directly.  When we have fully understood the situation and determined that any corrective action needs to be taken we will post that resultion back here so that everyone can see the closure. 

Thanks. 

Hi Digby~

Here is a technical summary of the issue. 

In Skuid’s Apex code, we construct strings of JavaScript which are added to the page and interpreted by the browser. Skuid does proactively look for XSS vulnerabilities and escape them out within our Apex. Modern browsers have built in protection against XSS vulnerabilities which also help, but there are ways to disable these protections in some browsers. One of these ways is by setting a particular header in the response: X-XSS-Protection: 0. 

It appears that Salesforce sets this header when pages are served up from a Community or Portal. Skuid was relying on the browser’s built in XSS protection so disabling it allowed for the vulnerability you noticed. The latest release of Rockaway includes a fix that will escape tags in the part of the code that processed URL parameters. Thus, even if the browser feature is disabled, XSS attempts via URL parameters will fail. 

Thanks again for alerting us of this issue as security issues are a very serious concern.
Karen