URL Input Validation on AS ABAP
Besides output encoding, which is the most effective way to protect Web applications against XSS, there is the possibility to validate the input instead of output encoding.
Input or data validation does not mean input encoding. Input encoding must be prevented in any case, and if available it must be removed because it leads to situations where it is unclear if the data is already encoded. Web servers should always decode the content once and Web clients should always encode the content once. Most often, input encoding leads to situations where the content is encoded twice. The data validation allows write data to Web clients without output encoding.
Situations where sanitizing could solve problems are the contexts with ...NEVER PUT UNTRUSTED DATA HERE..., which are described in the examples in the previous topics.
We also recommend using whitelist filtering to further increase protection.
The validation of URLs can be used always if a navigation URL is created from different input sources, for example, a database address, application parameters, and user input. The available methods allow for the input of absolute (complete) URLs.
For AS ABAP, the method to use is CL_HTTP_UTILITY=>IS_VALID_URL(). For more information, see the F1 Help or the ABAP Online Help in the corresponding system.
Normalization of a path means validation and removal of path traversals.
Example:
http://www.server.com/path1/path2/../.././././etc/passwd => http://www.server.com/etc/passwd
For AS ABAP, the method to use is CL_HTTP_UTILITY=>NORMALIZE_URL(). For more information, see the F1 Help or the ABAP Online Help in the corresponding system.