Even though the rules described in Avoiding XSS by Using Correct Output Encoding and Output Encoding Contexts allow for developing your own encoding methods, there are central functions (that is, libraries) that provide encoding for the different contexts. This topic describes functions available from SAP for the AS Java and JavaScript.
For AS Java, the encoding is available as tc_sec_csi.jar. There is a static class and an interface which provides the encodings for HTML/XML, JavaScript, CSS and URL.
The class name is XSSEncoder (class name with package name: com.sap.security.core.server.csi.XSSEncoder ).
The interface is IXSSEncoder (interface with package name: com.sap.security.core.server.csi.IXSSEncoder ). The interface can be retrieved with com.sap.security.core.server.csi.XSSEncoder.getInstance() .
The class XSSEncoder and interface IXSSEncoder are the successors of the class StringUtils (see SAP Note 866020 and its update note 1601461), so the same dependencies have to be fulfilled, for example, a runtime reference to the JEE library security.class or tc/bl/security/lib and a compiler reference to tc_sec_csi.jar.
The methods to use for each context are:
Context | Method |
---|---|
HTML / XML |
out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); |
JavaScript |
out = XSSEncoder.encodeJavaScript( val ); |
URL |
out = XSSEncoder.encodeURL( val ); |
CSS |
out = XSSEncoder.encodeCSS( val ); |
For information about the delivery of these extensions, see SAP Note 1590008.
WebDynpro Java
For WebDynpro Java, you do not have to care about XSS. The security is ensured through the framework itself.
SAP UI Development Kit for HTML5
For the SAP UI Development Kit for HTML5, the encoding functions are implemented as a jQuery plug-in in framework/_core/src/main/js/jquery.sap.encoder.js.
The functions to use for the different contexts are:
Context | Function |
---|---|
HTML / XML |
jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) |
JavaScript |
jQuery.sap.encodeJS(sValue) |
URL |
jQuery.sap.encodeURL(sValue) |
CSS |
jQuery.sap.encodeCSS(sValue) |