SAP Encoding Functions for AS ABAP

Even though the rules described in Avoiding XSS by Using Correct Output Encoding and Output Encoding Contexts allow for developing your own encoding methods, there are central functions (that is, libraries) that provide encoding for the different contexts. This topic describes functions available on AS ABAP.

For all generic Web applications where you accept input parameters, you must use encoding methods provided by the ICF handler. The implementation of the encoding is available as an API in two variants:

ABAP built-in function ESCAPE (available as of SAP_BASIS >= 731)
Class implementation in CL_ABAP_DYN_PRG

In releases higher or equal to SAP NetWeaver Release 7.0 enhancement package 3 (SAP_BASIS >= 731), use the ABAP built-in function ESCAPE(). For more information, see the ABAP keyword documentation for the ESCAPE() function.

Tip

The following shows an example for the HTML or XML context:

val_escaped = escape( val = val format = cl_abap_format=>e_xss_ml ).

Use the following methods for the different contexts:

Context	Method
HTML / XML	`out = escape(val = val format = cl_abap_format=>e_xss_ml)`.
JavaScript	`out = escape(val = val format = cl_abap_format=>e_xss_js)`
URL	`out = escape(val = val format = cl_abap_format=>e_xss_url)`
CSS	`out = escape(val = val format = cl_abap_format=>e_xss_css)`

For lower releases (SAP_BASIS 702, 720 and below), there is an ABAP OO implementation. The implementation is in class CL_ABAP_DYN_PRG.

CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML 
CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT 
CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS 
CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL

Use the following methods for the different contexts:

Context	Method
HTML / XML	`out = CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML(val)`
JavaScript	`out = CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT(val)`
URL	`out = CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL(val)`
CSS	`out = CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS(val)`

For more information about the delivery of these extensions, see SAP Note 1582870.

WebDynpro ABAP

For WebDynpro ABAP, you do not have to care about XSS at all. The security is ensured through the framework itself.

Note

If you are using WebDynpro Islands, see the documentation of the Islandprovider (for example, Adobe Flash or Microsoft Silverlight) to prevent cross-site scripting from WebDynpro Islands.

Business Server Pages (BSP)

For BSP, you should use the page directives. For more information, see SAP Notes 1600317 and 1638779. These BSP page attributes have the advantage that the BSP framework ensures that the most secure version of encoding is used.

The syntax is:

<%@page language="abap" forceEncode="html|url|javascript|css"%>

After importing SAP Note 1600317, the existing page directives also use the updated BSP compiler that supports HTML encoding of all print statements on the page.

In the following example, all print statements are using HTML encoding. This only affects print statements on BSP pages, and does not have anything to do with tag parameter passing that uses the same syntax, but has different semantics.

Tip

BSP example:

<%@page language="abap" forceEncode="html"%>


  <html><body><form>
     <% data: inputvalue type string.
       inputvalue = request->get_form_field( 'x' ).
     %>
     <input type=text name=x value="<%=inputvalue%>">
     <input type=submit>
   </form></body></html>

The global page attribute defines the default encoding used within the page and all included page fragments. Besides the global page attributes, you can use the following notations for controlling the encoding behavior of a special print event (overriding the global settings):

<%html=...%>: HTML encoding
<%url=...%>: URL encoding for parameter names or values of URLs
<%javascript=...%>: JavaScript encoding
<%css=…%> : CSS encoding
<%raw=...%> (no encoding, that is, a global encoding that was set in the page-directive is switched off)
Note
Using forceEncode within a page directive in a page fragment has no effect. The encoding within page fragments is always controlled by the including page.

Page Example with Different Contexts

<%@page language="abap" forceEncode="html"%>
   <html><body>
      <% data: inputvalue type string,
                    forward type string.
       inputvalue = request->get_form_field( 'x' ).
           forward = request->get_form_field( 'param' ).
     %> <!-use url encoding for variable forward -->
   <form action="/path/subpath?parameter=<%url=forward%>" method="GET">
 <!-use default encoding for inputvalue -->
     <input type=text name=x value="<%=inputvalue%>">
     <input type=submit>
   </form></body></html>

JavaScript Example:

<%@page language="abap" forceEncode="html"%>
   <html><body>
      <% data: inputvalue type string,
               forward type string,
               message type string.
       inputvalue = request->get_form_field( 'x' ).
       forward = request->get_form_field( 'param' ).
       message = request->get_form_field( 'info' ).
     %>
   <form action="/path/subpath?parameter=<%url=forward%>"
 onSubmit="alert('<%javascript=message%>')" method="GET">
     <input type=text name=x value="<%=inputvalue%>">
     <input type=submit>
   </form></body></html>

BSP Online Text Repository (OTR) Values:

One aspect that is similar to an XSS attack is a translation-related change that breaks the HTML or JavaScript code.

Tip

For example:

  <script>
     var msg = '<otr>Hello</otr>';
   </script>
   <input name=xyz value="<otr>Replace 'dog' with 'cat'</otr>">

Therefore, there is an extra page attribute that you can set. When this attribute is set, all OTR texts are effectively encoded directly after they have been retrieved in their language-dependent form.

Note

The syntax is:

<%@page language="abap" forceEncodeOtr="html|javascript"%>

HTML Example:

<%@page language="abap" forceEncodeOtr="html"%>
 <script>
   var msg = '<otr>Hello</otr>';
   alert(msg);
 </script>

Note

Note that there are cases where the default-forced encoding will not work.

JavaScript Example:

<%@page language="abap" forceEncodeOtr="html"%>
 <script>
   var msg = '<%JavaScript=<otr>Hello</otr>%>';
   alert(msg);
 </script>

BSP Extensions

A consumer of a BSP extension does not know in which context a value passed to an attribute of an extension tag will be located in the generated output. So it is not possible for the consumer to do a proper encoding. In turn, this means that every extension has to do the proper encoding of each attribute value internally.

BSP Extensions HTMLB, XHTMLB and PHTMLB

For the BSP HTMLB library, you must set the attribute forceEncode of the <htmlb:content> tag to ENABLED to switch on the internal encoding because it is set to disabled by default. ENABLED means that the extension will use an appropriate encoding depending on the context within a value is used.

Note

The syntax is:

<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

Where:

ENABLED: This means to always encode everything. This overwrites all other encode attributes and they no longer have to be set.
BACKWARDS_COMPATIBLE: This is the default value. The usual encode attributes are active as previously defined.

For more information, see SAP Note 822881.

In addition, the attribute design of htmlb:content specifies the possible designs a page supports. Valid values are CLASSIC, DESIGN2002, DESIGN2003 or DESIGN2008 or combinations separated with a plus (+) sign. The older designs CLASSIC and DESIGN2002 are no longer supported (and possibly insecure) and are therefore not to be used anymore.

Note

If you do not specify a design, then design=CLASSIC is used. Therefore, we recommend overriding this default with one of the supported designs mentioned.

BSP HTMLB Example:

  <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
      ...
   </htmlb:content>

Mixed BSP Page with HTML and HTMLB Tags

The attribute forceEncode of the BSP page directive @page and the attribute forceEncode of the HTMLB content tag are independent of each other. The first one controls the encoding of variables outside any extension, whereas the later one controls the encoding with the extension HTMLB. Therefore, for a mixed page using HTML in combination with BSP Extensions, you must set both parameters as described in the sections above.

Mixed Page Example:

<%@page language="abap" forceEncode="html"%>
   ...
   <htmlb:content forceEncode="ENABLED">
      ...
      <htmlb:textView text="<%=param%>"/>     (1)
      <%=param%>               (2)
      ...   </htmlb:content>

In this example, the encoding of the variable param in line (1) is controlled by the forceEncode attribute of the htmlb:content tag and the param in line (2) is controlled by the forceEncode attribute of the page directive.

Note

The BSP encoding directive <%url|html|javascript=...%> has no effect when passing values to attributes of extension tags and is simply ignored.

In the following example, the directive to do HTML encoding is ignored. Instead the htmlb tag decides internally which encoding is appropriate.

  <htmlb:content forceEncode="ENABLED">
     ...
     <htmlb:textView text="<%html=param%>"/>
     ...
   </htmlb:content>

Internet Transaction Server (ITS) and HTML Business

For the Internet Transaction Server (ITS) and HTML Business, the following encoding functions are available.

xss_url_escape()
xss_html_escape()
xss_wml_escape()
xss_css_escape()
xss_js_escape()

The functions primarily take a string as an input parameter and return correspondingly escaped strings. The functions have been supported since ITS release 6.20. For more information, see SAP Note 1621946.

For the contexts described in this section, the functions are mapped as follows:

Context	Function
HTML / XML	`xss_html_escape()`
JavaScript	`xss_js_escape()`
URL	`xss_url_escape()`
CSS	`xss_css_escape()`

Proper encoding in pages created by the ITS depends on the way variables are used within templates, that is, using plain HTML Business, using the HTML Business Template Library, or manually calling the functions.

HTML Business

When addressing values of variables using the HTML Business notation: that is, using back quotes (`) or the <server> delimiter, the encoding is controlled by the global parameters:

~auto_html_escaping=1: globally activates encoding
~new_xss_functions=1: globally activates the use of the updated XSS library

This can be overruled locally in the templates by setting the parameter ~html_escaping_off=1/0 in order to switch off or turn on the escaping.

Where and how these parameters are specified depends on the SAP_BASIS release:

For the external ITS (Release <= 6.40), maintain them in the properties of the Internet Service in SE80.
For the internal ITS (Release >= 6.40), maintain them in the GUI properties in transaction SICF as follows:
- Release 6.40-7.11: ~auto_html_escaping=1 and ~new_xss_functions=1
- Release >=7.20: ~auto_html_escaping=1
  As of Release 7.20, there is no need to set the parameter ~new_xss_functions as the updated XSS library is used in all cases.
  
  Note
  You must thoroughly test the application when using this approach because there may be cases where the encoding is too generic and can lead to false encoding. In such cases, you can use set the parameter ~html_escaping_off="X" to deactivate the automatic encoding and manually call the functions named. For more information, see SAP Note 1488500.

Business HTML (BHTML)

The functions of the HTMLBusiness Template Library (for example SAP_TemplateNonEditableField()) always properly encode and cannot be switched on or off. For more information, see SAP Note 916255.

Manual Encoding

You can also manually encode output by using the functions named above. In this case, encode all output.