Security aspects is mostly dominated by the question how single-sign on works, activation of ICF nodes and how to prevent cross-side scripting attacks. This section collects all relevant links to the different topics.
(Highly) Recommended SAP Notes
- BSP Security Relevant Changes
- Inactive services in the Internet Communication Framework
- XSS Support for BSP-Extensions HTMLB, XHTMLB and PHTMLB
- HTTP WhiteList Check
- BSP Test Applications in Production Systems
- BSP Page directive <%@page forceEncode="html"%> and <%html=...%>
- BSP Page Directive <%@page forceEncodeOtr="html"%> and <OTR>
- Whitelist checks of sap-exit URL
- HTML Encoding of Error Messages
Logon Handling in the Web
General Links to Security Topics
- Security Services@SAP
- Single Sign-On (SSO) in a Complex System Landscape
- Security Aspects for BSP
- Portal Security Guide
- Authentication and Single Sign-On for SAP NetWeaver
- Authentication and Single Sign-On in Portal Environment
BSP Page and HTMLB Rendering Support
- BSP page directive
<%@page forceEncode="html"%>to automatically HTML encode all <%=...%> statements - BSP page directive
<%@page forceEncodeOtr="html"%>to automatically HTML encode all OTR output (translated texts in other languages can break rendered HTML <htmlb:content forceEncode="enabled">to HTML encode all attributes/values during rendering- {{<htmlb:content level2Check="true"> to check incoming model attributes whether they were actually part of previous outgoing response and may be updated.
- See encoding functions on class
CL_HTTP_UTILITY.