Security Concepts

Cross-site scripting (XSS) is a widely known vulnerability most web sites have. This page does not provide general information about cross-site scripting but focuses on what you as an application developer using SAPUI5 can do to avoid these security issues.

The SAPUI5 framework provides a client-side API to manage a white list for URLs. This whitelist can be used to validate arbitrary URLs if they are permitted or not.

The HTML5 sanitizer is used to clean up HTML5 code snippets by removing potentially executable JavaScript code.

SAPUI5 supports the configuration of a central whitelist service.

frameOptions is used to prevent security vulnerabilities like clickjacking. With the frameOptions configuration you define whether SAPUI5 is allowed to run embedded in a frame or only from trusted origins or not at all.