ABAP Keyword Documentation → ABAP - Security Notes → Security Risks Caused by Input from Outside
Cross Site Scripting
Cross site scripting (XSS) is a way of attacking a Web server using a Web application, for example using a manipulated HTML page displayed in a browser. Cross site scripting is a wide-ranging topic that cannot be covered in full here and ABAP application developers are not usually concerned with creating Web pages directly. These pages are normally wrapped in frameworks such as SAPUI5, Web Dynpro or Web Services and these frameworks are responsible for the necessary security.
An ABAP program is itself responsible for security only in the very rare cases where it is not part of one of these frameworks and generates HTML pages itself, for example directly using
Internet Communication
Framework (transaction SICF). The built-in function
escape
is most often used to do this. Other escape methods, such as the
classes CL_HTTP_UTILITY, CL_HTTP_SERVER, and CL_HTTP_CLIENT are obsolete and should no longer be used.
Other versions:
7.31 | 7.40 | 7.54
Note
Business Server Pages (BSP) are an exception to the rule above: When Business Server Pages are created, ABAP application developers can also be faced with HTML pages and must take the appropriate security precautions. More specifically, the attribute <htmlb:content forceEncode="ENABLED"> must be set in the HTMLB Library and obsolete values such as CLASSIC or DESIGN2002 can no longer be specified in the attribute design.
Executable Examples
- The example String Functions, escape for XSS demonstrates simple cross site scripting possible when input is not masked and is used on a generated HTML page.
- In the ICF Services example, the class
CL_HTTP_EXT_SERVICE_DEMO uses the built-in function
escape
to prevent cross site scripting.