this is my first blog post in the SCN – and I hope it will be helpful.
At first I have to say that XSS prevention is part of the UI5 framework. If you bind a model to a view and malicious code is inserted into an UI5 control, the JS-code will be escaped and not executed in the browser.
So far so good… But is it possible to write malicious code to your database by an OData-Model? Yes it is!!!
If you don’t escape the user-inputs the code will be written into the database:
You should prevent this server side (never trust a client), because if a non UI5 client will use your OData Service it will receive the infected JS-Code. And if this client will not esescape them, the JS code will be executed in the clients browser. You can escape strings by using the following ABAP statements in the implementation of your OData Gateway.
The result is a clean database: