Embrace Lightning and Leave JavaScript Buttons Behind
Learning Objectives
JavaScript Buttons: It’s Time to Move On
JavaScript buttons and links are types of actions in the Salesforce Classic UI that let you create inline JavaScript code that can be invoked via a button or link embedded on a record or list page. For example, maybe you prepopulate new records with data upon creation and update values in fields based on other logic. Or maybe you’re a Salesforce partner who uses custom buttons to integrate with your platform.
If JavaScript buttons are so useful, why don’t we support them in Lightning Experience? Because there are significant security challenges with combining untrusted JavaScript from multiple sources and authors together with the application source code, while maintaining trust.
We’ll cover those security and functional challenges, and share with you the alternatives to JavaScript buttons that are mobile- and Lightning-friendly. We’ll also look at features in Salesforce that you can use to migrate the functionality that you’ve built using custom buttons.
We’re committed to solving the problem of client-side customization and integration. Let us show you a new approach to thinking about JavaScript button functionality in Lightning Experience.
JavaScript Button Security Issues and Use Cases
However, without some safeguards, the components have access to each other’s data, shared access to the window and event structures, and access to any client-side API. A partner’s component for HIPAA compliance or financial information, for example, could be accessed by a component from a different source when both components are on the same page. As you can imagine, this cross-component access could lead to security and regulatory issues.
What’s Up with Inline JavaScript
Before we discuss the safeguards that Salesforce has in place for Lightning component security, let’s highlight some of the issues with in-line JavaScript. JavaScript is a loosely typed programming language, supported by all modern web browsers without a plug-in. It can persist data and state through cookies and storage APIs, and it can access events, URLs, and cookies through the browser. What makes JavaScript both useful and dangerous is that it has full access to the Document Object Model (DOM) and Browser Object Model (BOM).
With access to the DOM, a programmer can add, change, or delete almost anything found in an HTML or XML document. In the right hands, this is useful because JavaScript provides an API for working with text, dates, and regular expressions, so it’s easy to add client-side functionality with JavaScript snippets that enhance the base user interface. However, this is also a significant vulnerability because with Cross Site Scripting (XSS), malicious actors can gain access via JavaScript to the DOM or BOM and wreak havoc.
When a website enables dynamic content, hackers can use XSS to inject malicious client-side code into the web pages that are viewed by normal users. The hackers can then harness a user’s session and cookies to run scripts to extract data, log keystrokes, manipulate form entries, and even access APIs.
Lightning Locker: Making Lightning Components More Secure
- XSS and similar security issues
- Unrestricted DOM access
- Calls to undocumented/private APIs
- Client-side API versioning
- Faster security review (AppExchange)
- Better JavaScript development practices
- Easy updates to security features and policies
So you now know that Lightning components are built to be more secure. But how can you benefit from using them, and how can you re-create your JavaScript button functionality within Lightning Experience? We’ll show you shortly. But first, let’s look at how you might be using JavaScript buttons in Salesforce Classic.
What People Are Doing with JavaScript Buttons
- Use or manipulate values on a record before the save
- Validate fields—ensure that values are populated and/or meet criteria
- Prefill values based on inputs in other fields
- Redirect to a Visualforce page based on input values
- Display confirmation pop-up screens
- Create records with prepopulated values
- Trigger flows built in Flow Builder
- Call out to Salesforce or external APIs
- Integrate with third parties
- Perform mass actions on records in a list
- Direct methods and procedures via feedback pop-up screens for users
There are more scenarios, and some use cases that are so specific to an org that they’re impossible to categorize. Coming up, we’ll cover features that you can use to address all the use cases we mentioned, and migrate JavaScript button functionality to the Salesforce mobile app and Lightning Experience.
Resources
- Trailhead: Aura Components Basics module
- Salesforce Developers Blog: Introducing Lightning Locker for Lightning Components
- Lightning Aura Components Developer Guide