To help SAP customers to understand the Web Dispatcher and ICM default request filters and how to use it accordingly.
The Web Dispatcher and ICM check the user input that is sent to the server as an HTTP request to filter the received request using a standard pattern as a countermeasure agains Cross-Site Scripting (XSS). Cross-Site Scripting is used to attack an internet page in order to do harm or obtain other user's data.
By default, this filter is activated in SAP systems, to provide the maximum possible security. The relevant profile settings are:
- csi/enable =1
- csi/SAP/csa_lib = sapcsa.dll or libsapcsa.so
- icm/HTTP/auth_0= PREFIX=/, FILTER=SAP
Requests that meet the exclusion criteria defined by these security rules with non-complient URLs are rejected with an HTTP status code 400 "Bad Request". If the disallowed strings are found in the request, it will be rejected with HTTP code 403 "Access Denied".
You can change or override this filter to extend or restrict input options, this is explained in details in the standard pattern online help page. You can also use a library other than sapcsa.dll or libsapcsa.so and to achieve this you must specify the complete path to this library in transaction RZ11 in profile parameter csi/SAP/csa_lib mentioned above.
You can deactivate the filter as follows (for example, if an application requires the input of script tags):
- Set the profile parameter csi/enable to the value 0 in transaction RZ11. You can also use prefixes to filter individual paths (for example, if users enter data there) or exclude individual paths from filtering (for example, is users cannot enter any data there). value is immediately active and you should therefore use this method.
- Set the parameter of the Internet Connection Manager (ICM) to an empty value in transaction RZ11. After you have changed the settings of the profile parameters, you need to restart the Internet Connection Manager using transaction SMICM.