cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FM to Validate Java script in ABAP

Go to solution
Former Member

on ‎10-16-2014 3:01 PM

0 Kudos

Hi All,

We are working on application which have few free text fields on UI. Data entered on text fields is save in SAP... Now issue is if they write any script in text field it will be saved  in database. And when they retrieve this text - script will run..

Please advice if we have any function in SAP which check text include script code. So we can check it before saving to database.

Thanks

Rajesh Dadwal

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

kammaje_cis
Active Contributor
‎10-16-2014 3:35 PM
0 Kudos

Rajesh,

You are talking about a general concept of escaping user input.

Use below class/method within your Gateway method.

CALL METHOD CL_HTTP_UTILITY=>ESCAPE_HTML

EXPORTING

unescaped = unsafe_input

IMPORTING

escaped = safe_input.

Show replies
Show replies
Former Member
‎10-16-2014 4:08 PM
0 Kudos

Thanks Krishna,

I have checked for ESCAPE_JAVASCRIPT method.

DATA: lv_unescaped    TYPE string,
       lv_inside_html  TYPE abap_bool,
       lv_escaped      TYPE string
       .
lv_unescaped = 'hie how are you<script>alert("alert")</script>'.


CALL METHOD cl_http_utility=>escape_javascript
   EXPORTING
     unescaped   = lv_unescaped
*   inside_html = 'X'
   RECEIVING
     escaped     = lv_escaped.
IF sy-subrc = 0.
ENDIF.


Return value of lv_escaped - hie how are you\x3cscript\x3ealert(\"alert\")\x3c/script\x3e.


I guess it is changing the script text.. but not tell text include script inside..


Maybe we can compare input and output value - if both are not same then some script text is in input and raise errors, as we dont want to save incorrect data. Which UI will read latter for display...


Please let me know if it right way to validate or we have other options...



Regards,

Rajesh Dadwal

kammaje_cis
Active Contributor
‎10-16-2014 4:37 PM
0 Kudos

Intrigued by the use case. Do you mind sharing it?

It looks like demoing a XSS threat? is it so?

Former Member
‎10-16-2014 6:10 PM
0 Kudos

Yes, you are correct...

We are having custom application which consume Odata service developed in SAP. Few fields on UI are free text fields for user input and entered data get stored in SAP tables. latter it is displayed back to user, while they send data retrieve request.

We are also planning to put validation on UI so user cann't enter inappropriate data. Anyhow if someone trick the UI validation and pass the data to SAP. We want to put check it places to avoid it before saving to SAP tables. For UI development we are using javascript, HTML, CSC and jquerry.

Hopes I provided you with information you asked..

Thanks

Rajesh Dadwal

kammaje_cis
Active Contributor
‎10-17-2014 3:54 PM
0 Kudos

Rajesh,

"put validation on UI so user cann't enter inappropriate data. "

This is called sanitising user input. Most programing languages provide APIs for this. So you need to do this once in the UI/javascript and again at Gateway/ABAP side. cl_http_utility has methods to do it at Gateway side.


regards

Krishna

Former Member
‎10-20-2014 8:34 PM
0 Kudos

Thanks Krishna,

Thats what we decided to do .. Put validation on both side.. In ECC to identify if any script is in user input field.. We are comparing input text with text returned from method - cl_http_utility=>escape_javascript to find any differences..

Thanks

Rajesh

Answers (0)

Ask a Question