SAP Note 1294431 - Anchor links are generated with unwanted HTTP href address

Symptom
When working in SAP CRM, you can see clearly and copy the fully-qualified URLs of different object links. In some scenarios, some of the links contain session info. If the system is not proper configured, these URLs can be used by other users to whom they have been sent to log into the sender's session.


Other terms
Visible URLs, Bookmarking full URLs, Sending URLs


Reason and Prerequisites
When HTML anchors are generated with "href='#'", browsers interpret this '#' as being used for relative referencing within the actual page, and as such replace the '#' by the full address of the page. This address is visible to the user and can copied.
Even though there are other security measures that are more appropriate to avoid session reuse, the first step taken in this note is to prevent end-users from seeing fully qualified URLs when this is not required. TML anchor <A> elements should not display any unecessary HTTP information.
This can be done by using href="javascript:void(0);"


Solution
Please implement the enhancement below.
Also, please also apply Note 1136402, as it implements similar fixes to the InputField and Checkbox tags.

Affected Releases

Software Component Release From Release To Release And subsequent CRMUIF 510 510 510   CRMUIF 520 520 520   CRMUIF 600 600 600   WEBCUIF 700 700 700   WEBCUIF 730 730 730

Correction delivered in Support Package

Support Packages Release Package Name CRMUIF 510 SAPK-51008INCRMUIF CRMUIF 520 SAPK-52010INCRMUIF CRMUIF 600 SAPK-60006INCRMUIF WEBCUIF 700 SAPK-70003INWEBCUIF WEBCUIF 730 730

Corrections Instructions

Correction Instruction Valid from Valid to Software Component Last Modifcation 818962 510 510 CRMUIF 03.11.2009  15:55:51 818963 520 520 CRMUIF 03.11.2009  16:54:05 819062 520 520 CRMUIF 02.12.2009  19:28:28 1063891 600 600 CRMUIF 18.01.2009  15:57:36 1064004 700 700 WEBCUIF 15.01.2009  18:14:30