Block Execution of JavaScript in the HYPERLINK Function (Critical Update)

Previously, you could use JavaScript to prepare the URL argument in a HYPERLINK function. However, this approach introduces a security vulnerability because JavaScript can include cross-site scripting and make the URL execute on behalf of users. This critical update blocks the execution of JavaScript used to specify a URL in the HYPERLINK function.
Available in: Personal, Group, Professional, Enterprise, Performance, Unlimited, Developer, Contact Manager, and Editions

Before activating this update, we recommend that you review the use of JavaScript in HYPERLINK functions in your Salesforce org and begin migration toward alternative solutions. Here are some possible workarounds.
  • Custom button or link to execute onClick JavaScript. See Custom Buttons or Links. Supported in Salesforce Classic only.
  • Lightning Experience Quick Action button. Create JavaScript in a Lightning Experience component executed through a Quick Action button. Supported in Lightning Experience only.
  • Custom Visualforce page with an Apex controller to redirect to the correct URL. Take this approach if you can execute client-side conditional logic to redirect the user to where you want. Create an empty Visualforce page and an Apex controller. Pass the required values from the link to the controller. Then execute the logic to determine the URL in the controller method, to perform the redirect.
We recommend that you test this update in a sandbox or Developer Edition org. Check the behavior of the HYPERLINK function in formula fields. This critical update is enabled for all orgs on the auto-activation date.

For information on how to locate formula fields impacted by the CRUC, see Using Apex Code in Workbench to Find JavaScript.