ARTICLE
Cross Site Scripting
Cross site scripting ( XSS ) is a way
of attacking a Web server using a Web application, for
example using a manipulated HTML page displayed in a browser.
Cross site scripting is a wide-ranging topic that cannot be
covered in full here and ABAP application developers are not usually
concerned with creating Web pages directly. These pages are
normally wrapped in frameworks such as Web Dynpro or Web
Services and these frameworks are responsible for the necessary
security.
An ABAP program is itself responsible for security only in the very rare
cases where it is not part of one of these frameworks and generates
HTML pages itself, for example directly using
Internet Communication Framework
(transaction SICF ). The predefined function
escape is most often
used to do this. Other escape methods, such as the classes
CL_HTTP_UTILITY ,
CL_HTTP_SERVER , and
CL_HTTP_CLIENT are obsolete and
should no longer be used.
Note
Business Server Pages (
BSP ) are an exception to the rule above: When Business Server
Pages are created, ABAP application developers can also be faced with
HTML pages and must take the appropriate security precautions.
More specifically, the attribute <(><<)>htmlb:content
forceEncode="ENABLED" must be set in the HTMLB Library and
obsolete values such as CLASSIC or DESIGN2002 can no
longer be specified in the attribute design .
Examples
The example String Functions,
escape for XSS demonstrates simple cross site
scripting possible when input is not masked and is used on a
generated HTML page.
In the ICF Services example, the
class CL_HTTP_EXT_SERVICE_DEMO uses
the predefined function escape to
prevent cross site scripting .
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved