XSS Prevention in UI5

Hi,

this is my first blog post in the SCN – and I hope it will be helpful.

At first I have to say that XSS prevention is part of the UI5 framework. If you bind a model to a view and malicious code is inserted into an UI5 control, the JS-code will be escaped and not executed in the browser.

So far so good… But is it possible to write malicious code to your database by an OData-Model? Yes it is!!!

If you don’t escape the user-inputs the code will be written into the database:

You should prevent this server side (never trust a client), because if a non UI5 client will use your OData Service it will receive the infected JS-Code. And if this client will not esescape them, the JS code will be executed in the clients browser. You can escape strings by using the following ABAP statements in the implementation of your OData Gateway.

The result is a clean database:

Greetings,

Stefan

3 Comments

You must be Logged on to comment or reply to a post.

Former Member

March 26, 2015 at 8:18 am

which abap statements?

Stefan Seufert

Blog Post Author

March 26, 2015 at 8:25 am

Hey Robbe,

Thanks for your Reply... Sorry but I lose the screenshot maybe while editing my blog post... Now you can see the Screenshot. You can use the following Statement:

If you have further questions, just ask me...

Greetings

Former Member

March 26, 2015 at 8:30 am

No problem Stefan! 😉

XSS Prevention in UI5

Assigned Tags