URL Input Validation on AS ABAP

Besides output encoding, which is the most effective way to protect Web applications against XSS, there is the possibility to validate the input instead of output encoding.

Situations where sanitizing could solve problems are the contexts with ...NEVER PUT UNTRUSTED DATA HERE..., which are described in the examples in the previous topics.

URL Validation

The validation of URLs can be used always if a navigation URL is created from different input sources, for example, a database address, application parameters, and user input. The available methods allow for the input of absolute (complete) URLs.

For AS ABAP, the method to use is CL_HTTP_UTILITY=>IS_VALID_URL(). For more information, see the F1 Help or the ABAP Online Help in the corresponding system.

Path / URL Path Normalization

Normalization of a path means validation and removal of path traversals.

Tip

Example:

http://www.server.com/path1/path2/../.././././etc/passwd
 =>
 http://www.server.com/etc/passwd

For AS ABAP, the method to use is CL_HTTP_UTILITY=>NORMALIZE_URL(). For more information, see the F1 Help or the ABAP Online Help in the corresponding system.