Skip to Content
May 13, 2011 at 11:47 AM

URL parameters of page causing XSS threat



We have customized the SAP toolarea and search iview to redirect the user to our internal search engine page along with its search query string.

Now, url parameters for are causing XSS threats as follows:-

https://<vendorURL>/irj/servlet/prt/portal/prteventname/Navigate/prtroot/pcd!3aportal_content!2fcom.<vendor>.layout.AoPortalLayoutFolder!2fcom.<vendor>.layout.DesktopFolder!2f<vendor>Desktop_1!2fframeworkPages!2fframeworkpage_1!<url to search engine followed by script entities>&system=<system alias name followed by script tag>&windowId=WID1290076312917&NavigationTarget=ROLES%3Aportal_content%2Fcom.atosorigin.layout.AoPortalLayoutFolder%2Fcom.atosorigin.layout.iViews%2Fcom.atosorigin.atosSearch&RelativeNavBase=&Command=SUSPEND&SerPropString=&SerKeyString=&SerAttrKeyString=&DebugSet=&Embedded=true&SessionKeysAvailable=true

The scripts places here are getting executed. This exposes the application to serious XSS threat.

url=<url to search engine followed by script entities>
&system=<system alias name followed by script tag>

Is there any way to validate these URL parameters before they are processed?

Please help.

Thanks and regards,