Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Embrace Lightning and Leave JavaScript Buttons Behind

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the security challenges of using JavaScript.
  • List common use cases for JavaScript custom buttons.

JavaScript Buttons: It’s Time to Move On

We know that you love JavaScript buttons and have been using them in Salesforce Classic for years. In fact, you might be reluctant to migrate to Lightning Experience because JavaScript buttons aren’t supported. But Lightning Experience offers so much more than Salesforce Classic, and it is the future. 

We realize that you expect and rely on us to always migrate existing functionality to new features and UI, but in the case of JavaScript buttons, we believe that the future is brighter in Lightning Experience, even without JavaScript button support. And in this module, we show you why.

JavaScript buttons and links are types of actions in the Salesforce Classic UI that let you create inline JavaScript code that can be invoked via a button or link embedded on a record or list page. For example, maybe you prepopulate new records with data upon creation and update values in fields based on other logic. Or maybe you’re a Salesforce partner who uses custom buttons to integrate with your platform.

If JavaScript buttons are so useful, why don’t we support them in Lightning Experience? Because there are significant security challenges with combining untrusted JavaScript from multiple sources and authors together with the application source code, while maintaining trust.

We cover those security and functional challenges, and share with you the alternatives to JavaScript buttons that are mobile- and Lightning-friendly. We also look at features in Salesforce that you can use to migrate the functionality that you’ve built using custom buttons.

We’re committed to solving the problem of client-side customization and integration. Let us show you a new approach to thinking about JavaScript button functionality in Lightning Experience.

JavaScript Button Security Issues and Use Cases

One of the coolest benefits of Lightning Experience is that you can add your custom Lightning web components to record, Home, and other pages. For example, you might choose to add a map component to your Account record pages. Or you could provide a component for your AppExchange app that can be added to the Home page or an Opportunity record.

However, without some safeguards, the components have access to each other’s data, shared access to the window and event structures, and access to any client-side API. A partner’s component for HIPAA compliance or financial information, for example, could be accessed by a component from a different source when both components are on the same page. As you can imagine, this cross-component access could lead to security and regulatory issues.

What’s Up with Inline JavaScript

Before we discuss the safeguards that Salesforce has in place for Lightning web component security, let’s highlight some of the issues with in-line JavaScript. JavaScript is a loosely typed programming language, supported by all modern web browsers without a plug-in. It can persist data and state through cookies and storage APIs, and it can access events, URLs, and cookies through the browser. What makes JavaScript both useful and dangerous is that it has full access to the Document Object Model (DOM) and Browser Object Model (BOM).

With access to the DOM, a programmer can add, change, or delete almost anything found in an HTML or XML document. In the right hands, this is useful because JavaScript provides an API for working with text, dates, and regular expressions, so it’s easy to add client-side functionality with JavaScript snippets that enhance the base user interface. However, this is also a significant vulnerability because with Cross Site Scripting (XSS), malicious actors can gain access via JavaScript to the DOM or BOM and wreak havoc.

When a website enables dynamic content, hackers can use XSS to inject malicious client-side code into the web pages that are viewed by normal users. The hackers can then harness a user’s session and cookies to run scripts to extract data, log keystrokes, manipulate form entries, and even access APIs.

Lightning Web Security: Making Lightning Web Components More Secure

The good news is that Salesforce is already working on a solution to make Lightning web components more secure and restrict JavaScript’s unfettered access. This solution is Lightning Web Security (LWS), which uses various technologies and techniques that are intended to prevent:

  • XSS and similar security issues
  • Unrestricted DOM access
  • Calls to unsecure APIs

At the same time, Lightning Web Security features also enable:

  • The import and use of components from other namespaces
  • Secure interaction with global objects
  • Improved performance
  • Better third-party JavaScript library support
  • Compatibility with standard JavaScript as it evolves

So you now know that Lightning web components are built to be more secure. But how can you benefit from using them, and how can you re-create your JavaScript button functionality within Lightning Experience? We’ll show you shortly. But first, let’s look at how you might be using JavaScript buttons in Salesforce Classic.

What People Are Doing with JavaScript Buttons

We heard from many customers, some with hundreds of JavaScript buttons in their orgs. We also talked to partners about their JavaScript button use cases. We collated what we learned into a broader set of operations. Here are the most common use cases for JavaScript buttons.

  • Use or manipulate values on a record before the save.
    • Validate fields—ensure that values are populated and/or meet criteria
    • Prefill values based on inputs in other fields
    • Redirect to a Visualforce page based on input values
    • Display confirmation pop-up screens
  • Create records with prepopulated values.
  • Trigger flows built in Flow Builder.
  • Call out to Salesforce or external APIs.
  • Integrate with third parties.
  • Perform mass actions on records in a list.
  • Direct methods and procedures via feedback pop-up screens for users.

There are more scenarios, and some use cases that are so specific to an org that they’re impossible to categorize. Coming up, we cover features that you can use to address all the use cases we mentioned, and migrate JavaScript button functionality to the Salesforce mobile app and Lightning Experience.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback