Hi,
this is my first blog post in the SCN - and I hope it will be helpful.
At first I have to say that XSS prevention is part of the UI5 framework. If you bind a model to a view and malicious code is inserted into an UI5 control, the JS-code will be escaped and not executed in the browser.
So far so good... But is it possible to write malicious code to your database by an OData-Model? Yes it is!!!
If you don't escape the user-inputs the code will be written into the database:
You should prevent this server side (never trust a client), because if a non UI5 client will use your OData Service he will receive the infected JS-Code. You can do this by the following Code:
The result is a clean database:
Greetings,
Stefan