Skip to Content
Author's profile photo Stefan Seufert

XSS Prevention in UI5


this is my first blog post in the SCN – and I hope it will be helpful.

At first I have to say that XSS prevention is part of the UI5 framework. If you bind a model to a view and malicious code is inserted into an UI5 control, the JS-code will be escaped and not executed in the browser.


So far so good… But is it possible to write malicious code to your database by an OData-Model? Yes it is!!!

If you don’t escape the user-inputs the code will be written into the database:


You should prevent this server side (never trust a client), because if a non UI5 client will use your OData Service it will receive the infected JS-Code. And if this client will not esescape them, the JS code will be executed in the clients browser. You can escape strings by using the following ABAP statements in the implementation of your OData Gateway.


The result is a clean database:




Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      which abap statements?

      Author's profile photo Stefan Seufert
      Stefan Seufert
      Blog Post Author

      Hey Robbe,

      Thanks for your Reply... Sorry but I lose the screenshot maybe while editing my blog post... Now you can see the Screenshot. You can use the following Statement:


      If you have further questions, just ask me...


      Author's profile photo Former Member
      Former Member

      No problem Stefan! 😉