Jan 4, 2017by Security Review Operations Team
S-Controls have been phased out since the Spring ’09 release and superseded by Visualforce. However, we still see a few partners using them in their apps. Visualforce pages are considered the next-generation of S-Controls and should replace them. S-Controls pose a security risk and will not be allowed for use in any new package.
If you are submitting a net new application for security review, please make sure that your solution does not contain S-Controls. If S-Controls are detected in your submission, your submission will not be allowed through into queue.
If you are submitting a Trialforce Template for review and your package contains S-Controls, please note that your app will be called out and placed in the upcoming re-review cycle. The S-Controls will need to be removed when submitting for re-review. This is only allowed for older AppExchange apps.
When your app is due and called out for re-review, remember to take the necessary steps to remove any prior S-Controls that were implemented.
We understand that some apps have been around before S-Controls were superseded and still contain these components. S-Controls cannot currently be fully removed from a managed package and empty S-Controls cannot be saved. But good news! While we are working to have the deprecation functionality enabled, please follow these directions to redirect the S-Controls:
- For URL type S-Controls, you can simply redirect to existing Visualforce pages within the package.
- As for HTML type S-Controls, you will need to ensure that an empty HTML block is in place for the content. This can be accomplished by using the following: <html></html> .