Skip to content

ABAP Keyword Documentation →  ABAP - Security Notes →  Security Risks Caused by Input from Outside 

Cross Site Scripting

Cross site scripting (XSS) is a way of attacking a Web server using a Web application, for example using a manipulated HTML page displayed in a browser. Cross site scripting is a wide-ranging topic that cannot be covered in full here and ABAP application developers are not usually concerned with creating Web pages directly. These pages are normally wrapped in frameworks such as SAPUI5, Web Dynpro or Web Services and these frameworks are responsible for the necessary security.

An ABAP program is itself responsible for security only in the very rare cases where it is not part of one of these frameworks and generates HTML pages itself, for example directly using Internet Communication Framework (transaction SICF). The built-in function escape is most often used to do this. Other escape methods, such as the classes CL_HTTP_UTILITY, CL_HTTP_SERVER, and CL_HTTP_CLIENT are obsolete and should no longer be used.

Other versions: 7.31 | 7.40 | 7.54


Business Server Pages (BSP) are an exception to the rule above: When Business Server Pages are created, ABAP application developers can also be faced with HTML pages and must take the appropriate security precautions. More specifically, the attribute <htmlb:content forceEncode="ENABLED"> must be set in the HTMLB Library and obsolete values such as CLASSIC or DESIGN2002 can no longer be specified in the attribute design.

Executable Examples

  • In the ICF Services example, the class CL_HTTP_EXT_SERVICE_DEMO uses the built-in function escape to prevent cross site scripting.