ACTION REQUIRED: Review Hyperlink Formula Fields for JavaScript

If you are an administrator of a Salesforce org, you might have received the email below.

We have checked our package and two fields in our package use JavaScript in hyperlink formula fields. We have revised the formula so that it does not contain Javascript anymore. This has been patched this morning.

If you want to make sure that you are not using JavaScript in hyperlink formula fields, you can perform the following script in the Anonymous Window of the Developer Console:

Map<String, Schema.SObjectType> schemaMap = Schema.getGlobalDescribe();
for(String type:schemaMap.keySet()) {
    Schema.SObjectType candidateSchema = schemaMap.get(type);
    Map<String, Schema.SObjectField> fieldMap = candidateSchema.getDescribe().fields.getMap();
    for(String field:fieldMap.keySet()) {
        Schema.DescribeFieldResult fieldDesc = fieldMap.get(field).getDescribe();
        String formula = fieldDesc.getCalculatedFormula();
        if(formula != null && formula.containsIgnoreCase('hyperlink') && formula.containsIgnoreCase('javascript:')) {
            System.debug('\n'+type+'.'+field+'\n'+formula);
        }
    }
}

Open the Developer Console, click on the Debug dropdown and click on Open Execute Anonymous Window. The script needs to be pasted in the screen that appears. Make sure Open Log is checked and then click Execute. This will take some seconds. When the result is shown, check Debug Only: if the screen is empty, there are no JavaScript in hyperlink formula fields on your org. If there does appear text, it will show the object, the field and the field value of the field that needs to be changed. Every new line (so every new field) starts with [9]Debug.

 ----------------------------------------------------------------------------------------

As an admin of a Salesforce org using hyperlink formula fields containing JavaScript, we are reminding you that starting with the Spring '17 release in February 2017, we began a three-phase effort to eliminate the use of JavaScript in hyperlink formula fields. In Summer '17* we continue this effort with the introduction of a Critical Update Console (CRUC) setting which allows admins to opt-in to blocking the execution of JavaScript in hyperlink formula fields by activating the CRUC. *Currently targeted for June 2017; date subject to change.

Why is Salesforce making this change? Trust is Salesforce’s #1 value and product security is a key aspect of Trust. Salesforce has identified the inclusion of JavaScript in hyperlink formula fields as a potential security vulnerability that can allow malicious code to be executed within an org. To protect you and your Salesforce environment, we are removing this vulnerability. Salesforce will block JavaScript execution in hyperlink formula fields via a phased approach. Salesforce defines these fields as custom hyperlink formula fields starting with the string "javascript:". As of the Spring '17 release, admins can no longer create new hyperlink formula fields containing JavaScript. Editing and saving existing fields containing JavaScript is also prevented unless the JavaScript is being removed. In the Summer '17 release, a Critical Update Console (CRUC) setting will be introduced, allowing admins to opt-in to blocking the execution of JavaScript in hyperlink formula fields by activating this setting. The phased approach will conclude with the Winter '18 release** when execution of JavaScript in hyperlink formula fields will be prevented. ** Currently targeted for October 2017; date subject to change.

What action do I need to take? Before activating this update, we recommend that you review the use of JavaScript in HYPERLINK functions in your Salesforce org and begin migration toward alternative solutions. For more information on possible alternatives to JavaScript in hyperlinkformula fields, read the Hyperlink Formula Fields for JavaScript Disablement article.

How can I get more information? See the Summer '17 Release Notes for more information on this change. For more information on CRUC, review the Respond to Critical Updates documentation. For additional questions, open a case with Support via the Help & Training portal.