SAP Note 1275278 - Security: HTML Encoding missing over the inputField tooltip

Symptom

When a user enters a text that contains html code and there is Javascript code in that text, under certain conditions this Javascript code can pass through the http filter that checks for dangerous content. It then can be executed the next time it is rendered.


Other terms
XSS, Cross-Site Scripting, JavaScript, malicious code


Reason and Prerequisites
This situation was made possible by  missing HTML encoding over the inputField tooltip.


Solution
Please implement the correction below.

Affected Releases

Software Component Release From Release To Release And subsequent CRMUIF 520 520 520   CRMUIF 600 600 600   WEBCUIF 700 700 700   WEBCUIF 730 730 730

Correction delivered in Support Package

Support Packages Release Package Name CRMUIF 520 SAPK-52007INCRMUIF CRMUIF 600 SAPK-60006INCRMUIF WEBCUIF 700 SAPK-70002INWEBCUIF WEBCUIF 730 730

Corrections Instructions

Correction Instruction Valid from Valid to Software Component Last Modifcation 713284 520 520 CRMUIF 17.11.2008  20:28:11 739916 600 600 CRMUIF 05.04.2009  20:38:28 713202 700 700 WEBCUIF 17.11.2008  20:26:46