Show TOC

URL Whitelist FilteringLocate this document in the navigation structure

The SAPUI5 framework provides a client-side API to manage a white list for URLs. This whitelist can be used to validate arbitrary URLs if they are permitted or not.

Internal examples of how controls can use this feature are those controls which accept arbitrary HTML content like the sap.ui.richttexteditor.RichTextEditor and the sap.ui.core.HTML. These controls use the URL white list when a check (sanitization) is performed on the content. URLs inside their content are then automatically removed, except if they are listed in the URL whitelist. The option to sanitize the value can be enabled or disabled in the respective control properly via the RichTextEditor.sanitizeValue or the HTML.sanitizeContent property. For the HTML control it is disabled by default whereas for the RichTextEditor the sanitize option is enabled. When adding a path to the white list be aware to add a “/” at the start of the path if necessary, so “/index.epx” would be the correct entry instead of “index.epx”. The last example below shows this.

Maintaining the URL Whitelist

The whitelist can be maintained with the following API:





Here is an example how valid URLs can be added to the white list:

//* protocol */ undefined, /* host */ undefined, /* port */ undefined, /* path */ undefined);, "");"https", "");, "", "1080");
Validating a URL

A URL can be validated by using the following API: jQuerysapvalidateUrl.

Here is an example how a given URL is validated against the before maintained white list:""); // => true""); // => false (wrong protocol)""); // => true""); // => true

If no whitelist is maintained the URL validity check also basically checks the URL for being defined in a valid format.