When integrating with SAP Mobile Platform, SiteMinder uses default settings for the Web agent to stop cross-site scripting (XSS) attacks. The SiteMinder default settings do not allow use of special characters and can lead to integration issues with SAP Mobile Platform.
By default, the Web agent does not allow certain characters that are often seen in XSS attacks to be included in the URLs it processes. The Web agent allows only characters that are legal according to the defined HTTP standard.
Native HTTP OData applications typically use, and sometimes require, URLs that contain characters within open and close parentheses and within single quotes. The left and right parenthesis and single-quotes characters are prohibited.
The SiteMinder administrator must modify the Web agent configuration in the policy server to either disable XSS filtering, or change the default forbidden characters.