Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

URL parameters of page com.sap.portal.innerpage causing XSS threat

Hi,

We have customized the SAP toolarea and search iview to redirect the user to our internal search engine page along with its search query string.

Now, url parameters for com.sap.portal.innerpage are causing XSS threats as follows:-

https://<vendorURL>/irj/servlet/prt/portal/prteventname/Navigate/prtroot/pcd!3aportal_content!2fcom.<vendor>.layout.AoPortalLayoutFolder!2fcom.<vendor>.layout.DesktopFolder!2f<vendor>Desktop_1!2fframeworkPages!2fframeworkpage_1!2fcom.sap.portal.innerpage?url=<url to search engine followed by script entities>&system=<system alias name followed by script tag>&windowId=WID1290076312917&NavigationTarget=ROLES%3Aportal_content%2Fcom.atosorigin.layout.AoPortalLayoutFolder%2Fcom.atosorigin.layout.iViews%2Fcom.atosorigin.atosSearch&RelativeNavBase=&Command=SUSPEND&SerPropString=&SerKeyString=&SerAttrKeyString=&DebugSet=&Embedded=true&SessionKeysAvailable=true

The scripts places here are getting executed. This exposes the application to serious XSS threat.

url=<url to search engine followed by script entities>
&system=<system alias name followed by script tag>

Is there any way to validate these URL parameters before they are processed?

Please help.

Thanks and regards,

Amey

Not what you were looking for? View more on this topic or Ask a question