ABAP Keyword Documentation → ABAP - Reference → Processing Internal Data → Character String and Byte String Processing → Expressions and Functions for String Processing → String Functions → Examples of String Functions
String Functions, escape for XSS
This example demonstrates the string function escape
for preventing XSS.
Other versions:
7.31 | 7.40 | 7.54
Source Code
CONSTANTS xss_demo TYPE string
VALUE `foo" onmouseover="alert('Gotcha!')`.
DATA: query TYPE string VALUE `ABAP Objects`,
esc_flag TYPE abap_bool VALUE abap_true,
xss_flag TYPE abap_bool VALUE abap_false.
DO.
in->add_field( EXPORTING text = 'Input'
CHANGING field = query
)->add_field( EXPORTING text = 'Escape'
as_checkbox = 'X'
CHANGING field = esc_flag
)->request( EXPORTING text = 'XSS-Demo'
as_checkbox = 'X'
CHANGING field = xss_flag ).
IF query IS INITIAL AND xss_flag = abap_false.
EXIT.
ENDIF.
IF to_upper( xss_flag ) = abap_true.
query = escape( val = xss_demo
format = cl_abap_format=>e_xss_ml ).
xss_flag = abap_false.
CONTINUE.
ENDIF.
IF to_upper( esc_flag ) = abap_true.
query = escape( val = query
format = cl_abap_format=>e_xss_ml ).
ELSEIF query <> xss_demo.
MESSAGE
`Without escaping only the prepared XSS-Demo is allowed.`
TYPE 'I'.
CONTINUE.
ENDIF.
DATA(html) =
`<html>` &&
`<body>` &&
`<p><a href="` && icf_node &&
`?query=` && query &&
`">Search in ABAP Documentation</a></p>` &&
`<p><a href="http://www.google.com/search?q=` &&
query && `">Search with Google</a></p>` &&
`</body>` &&
`</html>` ##no_text.
cl_abap_browser=>show_html( html_string = html
buttons = abap_true
check_html = abap_false ).
ENDDO.
Description
A search term can be entered in a dialog box. An output window provides a search function in the ABAP
keyword documentation and with an external search engine. By default, the input is escaped using the
function escape
and the format cl_abap_format=>e_xss_ml
. This prevents cross site scripting
(XSS).
The function can be disabled for specific input, which demonstrates the effects of an XSS attack. The input makes the links on the output window and the following input field unusable. More harmful functions could be used instead of the JavaScript function alert, but are not permitted in this example.