Hi,

this is my first blog post in the SCN – and I hope it will be helpful.

At first I have to say that XSS prevention is part of the UI5 framework. If you bind a model to a view and malicious code is inserted into an UI5 control, the JS-code will be escaped and not executed in the browser.

/wp-content/uploads/2015/03/ui5_672077.png

So far so good… But is it possible to write malicious code to your database by an OData-Model? Yes it is!!!

If you don’t escape the user-inputs the code will be written into the database:

DB.png

You should prevent this server side (never trust a client), because if a non UI5 client will use your OData Service it will receive the infected JS-Code. And if this client will not esescape them, the JS code will be executed in the clients browser. You can escape strings by using the following ABAP statements in the implementation of your OData Gateway.

/wp-content/uploads/2015/03/escaping_data_672360.png


The result is a clean database:

DB_escaped.png

Greetings,

Stefan

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

    1. Stefan Seufert Post author

      Hey Robbe,

      Thanks for your Reply… Sorry but I lose the screenshot maybe while editing my blog post… Now you can see the Screenshot. You can use the following Statement:

      /wp-content/uploads/2015/03/escaping_data_672369.png

      If you have further questions, just ask me…

      Greetings

      (0) 

Leave a Reply