User Interface 2-6 Flashcards
What types of resources are included in a Lightning Component bundle?
Choose 3 answers.
A. JavaScript code
B. SVG file
C. Apex code
D. PNG file
E. CSS file
A. JavaScript code, B. SVG file, E. CSS file
JavaScript, SVG, and CSS files are valid resource types included in a Lightning Component bundle.
🧠 Explanation:
A Lightning Component bundle includes:
✅ JavaScript code – for client-side logic.
✅ SVG file – for custom icons used in App Builder.
✅ CSS file – for styling components.
❌ Apex code – is not included directly in the bundle; it is referenced separately.
❌ PNG file – image files are not part of the component bundle.
🔗 Documentation:
https://developer.salesforce.com/docs/atlas.en-us.228.0.lightning.meta/lightning/ref_bundle_comp.htm
https://developer.salesforce.com/docs/atlas.en-us.lightning.meta/lightning/components_bundle_overview.htm
📚 Additional resources:
- Trailhead module: https://trailhead.salesforce.com/content/learn/modules/lex_dev_lc_basics
- GitHub examples: https://github.com/trailheadapps
- Video overview: https://www.youtube.com/watch?v=Dr4Kk5gImhE
A developer of Cosmic Solutions is building a Lightning web component that will allow the current user to search for an account record, view the account details, get additional information about the account from an external system in real time, and update the account and related records using the entered information. The company is using a private sharing model for account records. However, the Lightning web component should allow the current user to access any account record that is stored in Salesforce, regardless of whether the user can view the record. The developer will be creating an Apex controller to perform actions like retrieving and updating the account record. Which of the following are valid considerations related to this use case?
Choose 2 answers.
A. An @AuraEnabled Apex controller enforces the current user’s CRUD permissions and field-level security by default.
B. The behavior of an @AuraEnabled Apex controller that does not use a sharing keyword defaults to ‘with sharing’.
C. Enforcing sharing rules in an @AuraEnabled Apex controller impacts DML operations but not SOQL queries.
D. The Apex controller must use the ‘without sharing’ keyword to bypass sharing rules that apply to the user.
A. An @AuraEnabled Apex controller enforces the current user’s CRUD permissions and field-level security by default.
D. The Apex controller must use the ‘without sharing’ keyword to bypass sharing rules that apply to the user.
🧠 Explanation:
✅ Option A is correct because @AuraEnabled methods enforce the current user’s CRUD and field-level security permissions by default.
✅ Option D is correct because ‘without sharing’ allows the Apex controller to ignore the private sharing model and access records the user normally could not see.
❌ Option B is incorrect: If no sharing keyword is used, the controller defaults to ‘without sharing’, not ‘with sharing’.
❌ Option C is incorrect: Sharing rules affect both DML operations and SOQL queries.
🔗 Documentation:
https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_security_sharing_rules.htm
https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm
📚 Additional resources:
- https://trailhead.salesforce.com/content/learn/modules/apex_integration_services
- https://trailhead.salesforce.com/content/learn/modules/data_security
- https://www.youtube.com/watch?v=WvJ_jT_y-G0
The IT Director of Cosmic Solutions would like to prevent Cross-Site Request Forgery (CSRF) attacks on the company’s website. Which of the following is the specific defense mechanism provided by Salesforce that can prevent these attacks?
Choose 1 answer.
A. Anti-CSRF Security
B. CSRF Protection
C. Security Token
D. Anti-CSRF Token
D. Anti-CSRF Token
🧠 Explanation:
✅ Option D is correct. Within the Lightning platform, Salesforce implements an anti-CSRF token as a hidden field in pages. This token is validated on each page load to ensure that the request is legitimate. This specific token is the actual mechanism Salesforce uses to protect against CSRF.
❌ Option A refers to the general concept of anti-CSRF security, not a specific mechanism.
❌ Option B (CSRF Protection) is too generic; while true in theory, it doesn’t name the exact mechanism.
❌ Option C (Security Token) is unrelated and used mainly for API authentication.
🔗 Documentation:
Reset Your Security Token
Cross-Site Request Forgery (CSRF)
📚 Additional resources:
- OWASP CSRF Overview: https://owasp.org/www-community/attacks/csrf
The Salesforce developer of Cosmic Lights has created a few Visualforce pages that contain external links. They want to prevent the browser from loading scripts disguised as other file types when users access external content and websites via these links. What default feature would be helpful for this purpose?
A. Lightning Web Security
B. Content Security Policy Protection
C. Cross-Site Request Forgery Protection
D. Content Sniffing Protection
✅ D. Content Sniffing Protection
🧠 Explanation:
- ✅ D. Correct: Content Sniffing Protection prevents browsers from trying to interpret (or “sniff”) the MIME type of a file differently than declared. This is critical when opening external links, as it protects users from scripts disguised as benign file types (like images or documents).
❌ Incorrectas:
- A. Lightning Web Security: Applies to Lightning Web Components, not to Visualforce pages.
- B. Content Security Policy (CSP): Helps mitigate XSS and data injection attacks, but does not directly address MIME-type sniffing.
- C. CSRF Protection: Prevents unauthorized actions from authenticated users — unrelated to file/script interpretation from external content.
🔗 Documentación oficial:
- Clickjack and Content Sniffing Protection in Salesforce
- Salesforce Security Guide – Browser Security Settings
📚 Recursos adicionales:
- Trailhead: Application Security
- OWASP - MIME Sniffing
A custom screen component is being developed for a screen flow that is used for sending documents to an offline storage platform. The Salesforce developer would like to improve the user experience when an administrator configures the screen component in Flow Builder by utilizing a custom property editor. For example, there are different sets of fields required depending on the authentication method selected for connecting to the storage platform. Only the necessary fields can be displayed in the property editor based on the selection. Which of the options below are valid statements related to the requirement?
Choose 2 answers.
A. A custom property editor can be registered for a custom screen component by defining the name of the custom editor in the screen component’s JavaScript controller.
B. The automaticOutputVariables public property should be exposed in the custom property editor’s JavaScript controller to access automatically stored values in Flow Builder.
C. The automaticOutputVariables public property should be defined in the custom property editor’s configuration file to access automatically stored values in Flow Builder.
D. A custom property editor can be registered for a custom screen component by defining the name of the custom editor in the screen component’s configuration file.
✅ B. The automaticOutputVariables public property should be exposed in the custom property editor’s JavaScript controller to access automatically stored values in Flow Builder.
✅ D. A custom property editor can be registered for a custom screen component by defining the name of the custom editor in the screen component’s configuration file.
🧠 Explanation:
- ✅ B. Correct: Exposing a public property named automaticOutputVariables in the JavaScript controller of the custom property editor allows it to access automatically stored values like record collections or return values of Flow elements.
- ✅ D. Correct: The custom property editor is registered in the configuration file (.js-meta.xml) of the custom screen component using the configurationEditor tag.
❌ Incorrectas:
- A: El editor no se registra en el JavaScript controller, sino en el archivo de configuración.
- C: El atributo automaticOutputVariables no se define en el archivo de configuración, sino como propiedad pública en el JavaScript controller.
🔗 Documentación oficial:
- Custom Property Editors for Flow Screen Components
- Use automaticOutputVariables in Property Editors
📚 Recursos adicionales:
- Trailhead: Build Screen Flows with Custom Components
- Salesforce LWC Dev Guide: Configuration File Elements
A Lightning message channel called “SampleChannel” is used by custom Lightning components and a Visualforce page on a Lightning page for sending and receiving messages. A Salesforce developer is creating a custom Lightning web component and needs to publish messages in the channel whenever a user has completed processing a record using the custom component so that other components on the page can respond to the update if necessary. Which of the following can be used in order to reference the Lightning message channel in the component’s client-side controller?
Choose 1 answer.
A. import sampleChannel from “@salesforce/messageService/SampleChannel”;
B. import sampleChannel from “@salesforce/messageChannel/SampleChannel__c”;
C. import sampleChannel from “@salesforce/messageChannel/SampleChannel”;
D. import sampleChannel from “@salesforce/messageService/SampleChannel__s”;
✅ B. import sampleChannel from “@salesforce/messageChannel/SampleChannel__c”
🧠 Explanation:
The correct way to import a Lightning Message Channel (LMC) into a Lightning Web Component is through the scoped module @salesforce/messageChannel/ChannelName\_\_c. Even though \_\_c is generally associated with custom objects, in this case it is also the proper suffix for custom metadata types like LightningMessageChannel.
This allows the component to subscribe to or publish messages on the channel via Lightning Message Service.
❌ Why the others are incorrect:
- A: @salesforce/messageService/... is not a valid import path for channels.
- C: Missing the required \_\_c suffix.
- D: \_\_s is not a recognized suffix for message channels.
🔗 Official documentation:
- Lightning Message Service Overview
- Metadata Reference: LightningMessageChannel
📚 Additional resources:
- Trailhead: Lightning Web Components and Salesforce Data
- Blog: How to Use Lightning Message Service in LWC
A Salesforce developer is building a Lightning web component, which acts as the source component that contains buttons that allow users to navigate to specific URL-addressable Lightning web components. Which of the following are valid statements in this scenario?
A. The lightning/navigation module can be used by the source component to navigate to URL-addressable components.
B. The lightning__UrlAddressable target is used to enable a Lightning web component to be addressable via a page URL.
C. URL-addressable components follow the URL format /lightning/addressable/c__MyComponent?c__myProperty=myValue.
D. Parameters can be passed via the state object where the data type of the property can be a string, number, or boolean.
A, B
✅ A. The lightning/navigation module allows Lightning Web Components to navigate to other components, including URL-addressable components.
✅ B. The lightning\_\_UrlAddressable target in the targets section of a component’s meta file enables the component to be navigated to via a URL.
❌ C. The correct format includes a double underscore, but the URL should follow /lightning/cmp/c\_\_MyComponent rather than /lightning/addressable/....
❌ D. Parameters are passed using the state object, but only when navigating programmatically using the NavigationMixin, not via the URL in lightning\_\_UrlAddressable pages.
🔗 Documentación oficial:
- Make a Component URL Addressable
- NavigationMixin Reference
📚 Recursos adicionales:
- Build URL-Addressable Components Trailhead Module
- LWC Navigation Patterns
