Skip to Content

XSS attack in sap portal pdk object

Hi all,

I have created a portal pdk project and configured it for anonymous access . The project accepts the question id through query string as below

http://myportal.com/irj/portal/anonymous/questions?questionid=2;

but due to this there is a possibility for some XSS attacks for example

http://myportal.com/irj/portal/anonymous/questions?questionid=18c78b0'-alert('XSS_INJECTION')-'e3a1f

this gives me a pop up XSS_INJECTION. even though i sanitized the questionid in java code . the Javascript function alert is executed first and the URL hits the Particular servlet/pdk object then.

How can i solve the above issue for removing XSS attacks can that can be handled from Code?

Please do the needful.

Regards

Prasad

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Dec 30, 2014 at 04:14 PM

    Hi Prasad,

    Have you tried to send the parameters in the request via http POST?

    Best regards,

    Etay

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 31, 2014 at 07:46 AM

    Hi Prasad,

    In your component, before returning the response to client you should use the XSSEncoder to encode your output properly.

    If its going to HTML you should use XSSEncoder.encodeHTML.

    See for example here:

    SAP Encoding Functions for AS Java and JavaScript - Secure Programming - SAP Library

    BR,

    Tal

    Add comment
    10|10000 characters needed characters exceeded