Cross-site scripting (XSS) can be prevented by ensuring that it is not possible to inject script code into an application page that runs in a browser.
Controls must prohibit writing scripts to the page that comes from the application or from business data saved by a different user. To ensure this, the following two measures must be combined:
Validation of typed control properties
SAPUI5 core validates the value of properties set by the application against the type of the property. This guarantees that an int is always an int, and a sap.ui.core/CSSSize is a string representing a CSS size and does not contain a script tag. This also applies to enumerations and control IDs. The control renderer can rely on this check when writing the HTML. Property values that are typed in this way can be written without escaping.
Control developers must ensure that string control properties and other values coming from the application and not sufficiently typed to rule out script tags being contained are escaped when written to the HTML. For this, the RenderManager and SAPUI5 core provide helper methods.
To ensure maximum security for a renderer, note the following:
For control properties, always use the most specific type that is available. For example, use sap.ui.core/CSSSize instead of string and instead of sap.ui.core/string for control properties that refer to a CSS size.
Use helper methods to escape the value of a string property that is written to the HTML:
Use writeEscaped(oControl.getSomeStringProperty()) instead of just write(...) for writing plainly to the HTML.
Use writeAttributeEscaped("someHtmlProperty", oControl.getSomeStringProperty()) instead of just writeAttribute(...) for writing attributes.
Use jQuery.sap.encodeHTML(oControl.getSomeStringProperty()) for string properties where none of the other two options is possible to escape the string and then process it further.
Check your HTML coding whether application values can make their way into the HTML: