Including a text, received from a client browser typically through an XSJS request parameter, to be rendered as HTML in a request body may execute arbitrary JavaScript code on the client.
The XSJS application should always validate or sanitize the submitted string from a client before including it into a response body to be rendered in a client browser.
Validate the submitted input by looking for a sensitive HTML tag such as <script ...>...</script>. The pattern may be encoded to a regular expression and matched against the input; If there is a match, then the XSJS application may decide to abort the process and instead return an HTTP code stating that the application rejected the request (e.g. $.net.FORBIDDEN). XSJS does not provide a function to reliably perform the above, therefore using a third-party library is recommended.
The XSJS application may instead allow any user input, but sanitize it before it integrates it into the response body. This is achieved by escaping special characters that are treated as part of the HTML syntax, such as ", &, ', <, and >. Since XSJS does not provide a function to escape these, using a third-party library is recommended.
Alternatively, if SAP UI5 is used on the frontend, there are client-side escaping mechanisms such as sap.base.security.encodeXML and sap.base.security.encodeHTML. If sap.ui.core.HTML is used in the frontend view, consider setting its sanitizeContent property explicitly to true, since its default value is false.
The following XSJS application sets the response body directly to a string received from a user without any validation or sanitization. The header's content type is set as an HTML document, which allows for any embedded JavaScript to be run in the request body. Note that even if clientData was not enclosed in a div, the vulnerability would still exist.
let clientData = requestParameters.get("someParameter");
$.response.contentType = "text/html";
$.response.setBody("<div>" + clientData + "</div>");
$.response.status = $.net.http.OK;- SAP: Server-Side JavaScript Security Considerations.
- SAP: Server-Side JavaScript: Cross-Site Scripting .
- OWASP: Types of Cross-site Scripting.
- OWASP: Cross Site Scripting Prevention Cheat Sheet.
- Common Weakness Enumeration: CWE-79.
- Common Weakness Enumeration: CWE-116.