https://community.sap.com/t5/application-development-and-automation-discussions/handle-escape-xml-from-abap-data-in-javascript/m-p/11320777#M1919077 <HTML><HEAD></HEAD><BODY><P>Hi Colleagues,</P><P></P><P>Currently in our application the communication between ABAP back-end and UI layer we are using XML format as data exchange between them . </P><P>To remove the XSS security vulnerability we are using escape API as mentioned in the link <A href="http://help.sap.com/SAPhelp_nw70/helpdata/en/a6/87890ae991441b89bf418d0198ddcc/content.htm" title="http://help.sap.com/SAPhelp_nw70/helpdata/en/a6/87890ae991441b89bf418d0198ddcc/content.htm">SAP Encoding Functions for AS ABAP - Secure Programming - SAP Library</A></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;"> The sample snippet is shown below </SPAN></P><P></P><P><SPAN style="color: #333333; font-style: inherit; background-color: #f6f6f6; font-family: inherit; font-weight: inherit;"><BR /></SPAN></P><P><SPAN class="L0S52">CALL </SPAN><SPAN class="L0S52">METHOD </SPAN>server<SPAN class="L0S70">-&gt;</SPAN>response<SPAN class="L0S70">-&gt;</SPAN>set_header_field<SPAN class="L0S55">(</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; name&nbsp; <SPAN class="L0S55">= </SPAN>if_http_header_fields<SPAN class="L0S70">=&gt;</SPAN>content_type</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <SPAN class="L0S52">value </SPAN><SPAN class="L0S55">= </SPAN><SPAN class="L0S33">'text/plain' </SPAN><SPAN class="L0S55">)</SPAN><SPAN class="L0S55">.</SPAN></P><P></P><P>&nbsp;&nbsp;&nbsp; lv_response <SPAN class="L0S55">= </SPAN>escape<SPAN class="L0S55">( </SPAN>val <SPAN class="L0S55">= </SPAN>lv_response_xml_data <SPAN class="L0S52">format </SPAN><SPAN class="L0S55">= </SPAN>cl_abap_format<SPAN class="L0S70">=&gt;</SPAN>e_xss_ml <SPAN class="L0S55">)</SPAN><SPAN class="L0S55">.</SPAN></P><P><SPAN class="L0S55"></SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp; <SPAN class="L0S31">"Now Send the actual data</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp; server<SPAN class="L0S70">-&gt;</SPAN>response<SPAN class="L0S70">-&gt;</SPAN>set_cdata<SPAN class="L0S55">( </SPAN><SPAN class="L0S52">data </SPAN><SPAN class="L0S55">= </SPAN>lv_response <SPAN class="L0S55">)</SPAN><SPAN class="L0S55">.</SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;">.</SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;"><BR /></SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;">Now what in UI layer we are using unescape API in JS to retrieve the incoming XML content . But the this is not happening . Can you help me here ?</SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;"><BR /></SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;">Best Regards,</SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;">Mitul<BR /></SPAN></P></BODY></HTML> Tue, 27 Oct 2015 11:52:03 GMT MitulAdhia 2015-10-27T11:52:03Z https://community.sap.com/t5/application-development-and-automation-discussions/handle-escape-xml-from-abap-data-in-javascript/m-p/11320777#M1919077 <HTML><HEAD></HEAD><BODY><P>Hi Colleagues,</P><P></P><P>Currently in our application the communication between ABAP back-end and UI layer we are using XML format as data exchange between them . </P><P>To remove the XSS security vulnerability we are using escape API as mentioned in the link <A href="http://help.sap.com/SAPhelp_nw70/helpdata/en/a6/87890ae991441b89bf418d0198ddcc/content.htm" title="http://help.sap.com/SAPhelp_nw70/helpdata/en/a6/87890ae991441b89bf418d0198ddcc/content.htm">SAP Encoding Functions for AS ABAP - Secure Programming - SAP Library</A></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;"> The sample snippet is shown below </SPAN></P><P></P><P><SPAN style="color: #333333; font-style: inherit; background-color: #f6f6f6; font-family: inherit; font-weight: inherit;"><BR /></SPAN></P><P><SPAN class="L0S52">CALL </SPAN><SPAN class="L0S52">METHOD </SPAN>server<SPAN class="L0S70">-&gt;</SPAN>response<SPAN class="L0S70">-&gt;</SPAN>set_header_field<SPAN class="L0S55">(</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; name&nbsp; <SPAN class="L0S55">= </SPAN>if_http_header_fields<SPAN class="L0S70">=&gt;</SPAN>content_type</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <SPAN class="L0S52">value </SPAN><SPAN class="L0S55">= </SPAN><SPAN class="L0S33">'text/plain' </SPAN><SPAN class="L0S55">)</SPAN><SPAN class="L0S55">.</SPAN></P><P></P><P>&nbsp;&nbsp;&nbsp; lv_response <SPAN class="L0S55">= </SPAN>escape<SPAN class="L0S55">( </SPAN>val <SPAN class="L0S55">= </SPAN>lv_response_xml_data <SPAN class="L0S52">format </SPAN><SPAN class="L0S55">= </SPAN>cl_abap_format<SPAN class="L0S70">=&gt;</SPAN>e_xss_ml <SPAN class="L0S55">)</SPAN><SPAN class="L0S55">.</SPAN></P><P><SPAN class="L0S55"></SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp; <SPAN class="L0S31">"Now Send the actual data</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp; server<SPAN class="L0S70">-&gt;</SPAN>response<SPAN class="L0S70">-&gt;</SPAN>set_cdata<SPAN class="L0S55">( </SPAN><SPAN class="L0S52">data </SPAN><SPAN class="L0S55">= </SPAN>lv_response <SPAN class="L0S55">)</SPAN><SPAN class="L0S55">.</SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;">.</SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;"><BR /></SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;">Now what in UI layer we are using unescape API in JS to retrieve the incoming XML content . But the this is not happening . Can you help me here ?</SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;"><BR /></SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;">Best Regards,</SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, 'Microsoft YaHei', Meiryo, 'Malgun Gothic', sans-serif; color: #333333; background-color: #f6f6f6;">Mitul<BR /></SPAN></P></BODY></HTML> Tue, 27 Oct 2015 11:52:03 GMT https://community.sap.com/t5/application-development-and-automation-discussions/handle-escape-xml-from-abap-data-in-javascript/m-p/11320777#M1919077 MitulAdhia 2015-10-27T11:52:03Z https://community.sap.com/t5/application-development-and-automation-discussions/handle-escape-xml-from-abap-data-in-javascript/m-p/11320778#M1919078 <HTML><HEAD></HEAD><BODY><P>The issue is solved now after using regular expression in UI layer .</P></BODY></HTML> Tue, 03 Nov 2015 11:43:47 GMT https://community.sap.com/t5/application-development-and-automation-discussions/handle-escape-xml-from-abap-data-in-javascript/m-p/11320778#M1919078 MitulAdhia 2015-11-03T11:43:47Z