How can I prevent Cross-Site-Scripting using JavaScript SAPUI5 When validating user and password?
Question
Wonderful guys, I'm using oData to validate some pieces of information inputted by the user. The big problem is to avoid Cross-Site-Scripting that is easily done by Chrome debugger, for example. How can avoid this?
My Code:
onPress: function(oEvent) {
var event = this.getView().getModel("loggin").getProperty("/TypeCon");
var TestMode = this.getView().getModel("loggin").getProperty("/TestMode");
if (event == ""){
event = "SAP";
}
if (event != 'SAP'){
MessageToast.show("Esta conexão ainda não está disponível");
}else{
if(TestMode == 'X'){
this.getRouter().navTo("CockpitGo");
}else{
var oEntry = {};
oEntry.User= this.getView().getModel("loggin").getProperty("/User");
oEntry.Password= this.getView().getModel("loggin").getProperty("/Password");
var sServiceUrl = "http://abapfox.ddns.net:8000/sap/opu/odata/SAP/YLOGGIN_DATA_SRV/";
var oModel = new sap.ui.model.odata.ODataModel(sServiceUrl, true);
//Vamos montar antes o URI pra ver se fica tudo certinho:
var Uri = "/sap/opu/odata/SAP/YLOGGIN_DATA_SRV/LoginDataSet(User='" + oEntry.User + "',Password='" + oEntry.Password + "')";
OData.request({
requestUri: Uri,
method: "GET",
headers: {
"X-Requested-With": "XMLHttpRequest",
"Content-Type": "application/atom+xml",
"DataServiceVersion": "2.0",
"X-CSRF-Token": "Fetch"
}
},
function(data, response) {
if (data.Success === true) {
// show message
MessageToast.show(data.Message);
this.getRouter().navTo("CockpitGo");
} else {
// show message
MessageToast.show(data.Message);
}
},
2 answers
solution1
0 2016-09-27 17:56:44
To make this in the browser, you could filter data.message using a NodeJS module like bleach , after embedding it with a tool like browserify
Btw: MessageToast.show(data.Message); should be outside the if/else, as you call it in both branches.
solution2
0 2016-09-28 11:37:34
EDIT: Thinking about this again, you should test with real input which characters are really processed within this escaping sequence. They are talking about scripts and writing HTML, not sure anymore if this includes more characters than '>' '<'.
https://sapui5.netweaver.ondemand.com/sdk/#docs/guide/4de64e2e191f4a7297d4fd2d1e233a2d.html
Cross-site scripting (XSS) can be prevented by ensuring that it is not possible to inject script code into an application page that runs in a browser.
Controls must prohibit writing scripts to the page that comes from the application or from business data saved by a different user. To ensure this, the following two measures must be combined:
Validation of typed control properties
SAPUI5 core validates the value of properties set by the application against the type of the property. This guarantees that an int is always an int, and a sap.ui.core/CSSSize is a string representing a CSS size and does not contain a script tag. This also applies to enumerations and control IDs. The control renderer can rely on this check when writing the HTML. Property values that are typed in this way can be written without escaping .
Escaping
Control developers must ensure that string control properties and other values coming from the application and not sufficiently typed to rule out script tags being contained are escaped when written to the HTML. For this, the RenderManager and SAPUI5 core provide helper methods.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.