Injection

Malicious code injected through inline JavaScript can exploit vulnerabilities, allowing injection attacks like cross-site scripting (XSS), which can lead to site defacement, unauthorized access, and data theft.

A server-side JSON and XML injection can happen when data from an untrusted source is not sanitised by the server and written directly to a JSON or XML stream.

Cross-site scripting (XSS) attacks cover a broad range of attacks where malicious HTML or client-side scripting is provided to a Web application. The Web application includes malicious scripting in a response to a user of the Web application.

SOQL/SOSL injection is a serious security vulnerability that results from the insecure construction of a database query, with user-supplied data. When queries are built unsafely from user input, instead of using type-safe bind parameters, malicious input may be used to change the structure of the query and bypass or change the application logic.

When using CSS style tags and attributes, the HTML parser switches to CDATA or raw text context, which is prone to code injection. For this reason, using inline CSS is considered unsafe and should be avoided.

Some JavaScript operations, such as eval and other reflection operations, introduce a significant security risk. For this reason, they are blocked by the Lightning Locker and are generally discouraged.