on 12-29-2014 12:41 PM
Hi all,
I have created a portal pdk project and configured it for anonymous access . The project accepts the question id through query string as below
http://myportal.com/irj/portal/anonymous/questions?questionid=2;
but due to this there is a possibility for some XSS attacks for example
http://myportal.com/irj/portal/anonymous/questions?questionid=18c78b0'-alert('XSS_INJECTION')-'e3a1f
this gives me a pop up XSS_INJECTION. even though i sanitized the questionid in java code . the Javascript function alert is executed first and the URL hits the Particular servlet/pdk object then.
How can i solve the above issue for removing XSS attacks can that can be handled from Code?
Please do the needful.
Regards
Prasad
Hi Prasad,
In your component, before returning the response to client you should use the XSSEncoder to encode your output properly.
If its going to HTML you should use XSSEncoder.encodeHTML.
See for example here:
SAP Encoding Functions for AS Java and JavaScript - Secure Programming - SAP Library
BR,
Tal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Prasad,
Have you tried to send the parameters in the request via http POST?
Best regards,
Etay
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.