cancel
Showing results for 
Search instead for 
Did you mean: 

URL parameters of page com.sap.portal.innerpage causing XSS threat

Amey-Mogare
Contributor
0 Kudos
102

Hi,

We have customized the SAP toolarea and search iview to redirect the user to our internal search engine page along with its search query string.

Now, url parameters for com.sap.portal.innerpage are causing XSS threats as follows:-


https://<vendorURL>/irj/servlet/prt/portal/prteventname/Navigate/prtroot/pcd!3aportal_content!2fcom.<vendor>.layout.AoPortalLayoutFolder!2fcom.<vendor>.layout.DesktopFolder!2f<vendor>Desktop_1!2fframeworkPages!2fframeworkpage_1!2fcom.sap.portal.innerpage?url=<url to search engine followed by script entities>&system=<system alias name followed by script tag>&windowId=WID1290076312917&NavigationTarget=ROLES%3Aportal_content%2Fcom.atosorigin.layout.AoPortalLayoutFolder%2Fcom.atosorigin.layout.iViews%2Fcom.atosorigin.atosSearch&RelativeNavBase=&Command=SUSPEND&SerPropString=&SerKeyString=&SerAttrKeyString=&DebugSet=&Embedded=true&SessionKeysAvailable=true

The scripts places here are getting executed. This exposes the application to serious XSS threat.


url=<url to search engine followed by script entities>
&system=<system alias name followed by script tag>

Is there any way to validate these URL parameters before they are processed?

Please help.

Thanks and regards,

Amey

Accepted Solutions (0)

Answers (1)

Answers (1)

Amey-Mogare
Contributor
0 Kudos

Solved.

Have a look at this thread: -