cancel
Showing results for 
Search instead for 
Did you mean: 

XSS attack in sap portal pdk object

prasad
Participant
0 Kudos

Hi all,

I have created a portal pdk project and configured it for anonymous access . The project accepts the question id through query string as below

http://myportal.com/irj/portal/anonymous/questions?questionid=2;

but due to this there is a possibility for some XSS attacks for example

http://myportal.com/irj/portal/anonymous/questions?questionid=18c78b0'-alert('XSS_INJECTION')-'e3a1f

this gives me a pop up XSS_INJECTION. even though i sanitized the questionid in java code . the Javascript function alert is executed first and the URL hits the Particular servlet/pdk object then.

How can i solve the above issue for removing XSS attacks can that can be handled from Code?

Please do the needful.

Regards

Prasad

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member193577
Active Contributor
0 Kudos

Hi Prasad,

In your component, before returning the response to client you should use the XSSEncoder to encode your output properly.

If its going to HTML you should use XSSEncoder.encodeHTML.

See for example here:

SAP Encoding Functions for AS Java and JavaScript - Secure Programming - SAP Library

BR,

Tal

Former Member
0 Kudos

Hi Prasad,

Have you tried to send the parameters in the request via http POST?

Best regards,

Etay