URL Whitelist Filtering

The SAPUI5 framework provides a client-side API to manage a white list for URLs. This whitelist can be used to validate arbitrary URLs if they are permitted or not.

Internal examples of how controls can use this feature are those controls which accept arbitrary HTML content like the sap.ui.richttexteditor.RichTextEditor and the sap.ui.core.HTML. These controls use the URL white list when a check (sanitization) is performed on the content. URLs inside their content are then automatically removed, except if they are listed in the URL whitelist. The option to sanitize the value can be enabled or disabled in the respective control properly via the RichTextEditor.sanitizeValue or the HTML.sanitizeContent property. For the HTML control it is disabled by default whereas for the RichTextEditor the sanitize option is enabled. When adding a path to the white list be aware to add a "/" at the start of the path if necessary, so "/index.epx" would be the correct entry instead of "index.epx". The last example below shows this.

// jQuery.sap.addUrlWhitelist(/* protocol */ undefined, /* host */ undefined, /* port */ undefined, /* path */ undefined);


jQuery.sap.addUrlWhitelist(undefined, "www.sap.com");

jQuery.sap.addUrlWhitelist("https", "sdn.sap.com");

jQuery.sap.addUrlWhitelist(undefined, "sap.de", "1080");

jQuery.sap.validateUrl("http://www.sap.com"); // => true

jQuery.sap.validateUrl("http://sdn.sap.com"); // => false (wrong protocol)

jQuery.sap.validateUrl("https://sdn.sap.com"); // => true

jQuery.sap.validateUrl("ftp://sap.de:1080/anyftpfolder"); // => true