Show TOC

Encoded FunctionalityLocate this document in the navigation structure

Use

The WebDynpro UI framework does not decode the data it receives from the backend, it provides the string 'as is' without pre-processing it, since the client libraries will be at risk if they decode the string.

The raw data, for instance in an Edm.String is encoded, so that it safely fits into the Atom XML body without corrupting the XML or injecting XML constructs. For example, a string containing <xml>This attack won't work</xml> is automatically escaped, so the string content is just text and cannot be misinterpreted as XML elements.

<d:text> &lt;xml&gt; This attack won't work &lt;/xml&gt; </d:text>

The client libraries will unescape the text when reconstructing the string content from the XML payload. So if you have a string that contains:

" This is an attack attempt: alert("XSS")", the XML will contain This is an attack attempt: <script type="text/javascript">alert("XSS")</script>

This encoded version is safe for the client library. It will decode the content and place it into a JavaScript variable, which is still safe, until you put it into your DOM without checking the content.