SAP Encoding Functions for AS Java and JavaScript

For AS Java, the encoding is available as tc_sec_csi.jar. There is a static class and an interface which provides the encodings for HTML/XML, JavaScript, CSS and URL.

The class name is XSSEncoder (class name with package name: com.sap.security.core.server.csi.XSSEncoder ).

The interface is IXSSEncoder (interface with package name: com.sap.security.core.server.csi.IXSSEncoder ). The interface can be retrieved with com.sap.security.core.server.csi.XSSEncoder.getInstance() .

The class XSSEncoder and interface IXSSEncoder are the successors of the class StringUtils (see SAP Note 866020 and its update note 1601461), so the same dependencies have to be fulfilled, for example, a runtime reference to the JEE library security.class or tc/bl/security/lib and a compiler reference to tc_sec_csi.jar.

The methods to use for each context are:

For information about the delivery of these extensions, see SAP Note 1590008.

WebDynpro Java

For WebDynpro Java, you do not have to care about XSS. The security is ensured through the framework itself.

SAP UI Development Kit for HTML5

For the SAP UI Development Kit for HTML5, the encoding functions are implemented as a jQuery plug-in in framework/_core/src/main/js/jquery.sap.encoder.js.

The functions to use for the different contexts are: