on 10-16-2014 3:01 PM
Hi All,
We are working on application which have few free text fields on UI. Data entered on text fields is save in SAP... Now issue is if they write any script in text field it will be saved in database. And when they retrieve this text - script will run..
Please advice if we have any function in SAP which check text include script code. So we can check it before saving to database.
Thanks
Rajesh Dadwal
Rajesh,
You are talking about a general concept of escaping user input.
Use below class/method within your Gateway method.
CALL METHOD CL_HTTP_UTILITY=>ESCAPE_HTML
EXPORTING
unescaped = unsafe_input
IMPORTING
escaped = safe_input.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Krishna,
I have checked for ESCAPE_JAVASCRIPT method.
I guess it is changing the script text.. but not tell text include script inside..
Maybe we can compare input and output value - if both are not same then some script text is in input and raise errors, as we dont want to save incorrect data. Which UI will read latter for display...
Please let me know if it right way to validate or we have other options...
Regards,
Rajesh Dadwal
Yes, you are correct...
We are having custom application which consume Odata service developed in SAP. Few fields on UI are free text fields for user input and entered data get stored in SAP tables. latter it is displayed back to user, while they send data retrieve request.
We are also planning to put validation on UI so user cann't enter inappropriate data. Anyhow if someone trick the UI validation and pass the data to SAP. We want to put check it places to avoid it before saving to SAP tables. For UI development we are using javascript, HTML, CSC and jquerry.
Hopes I provided you with information you asked..
Thanks
Rajesh Dadwal
Rajesh,
"put validation on UI so user cann't enter inappropriate data. "
This is called sanitising user input. Most programing languages provide APIs for this. So you need to do this once in the UI/javascript and again at Gateway/ABAP side. cl_http_utility has methods to do it at Gateway side.
regards
Krishna
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.