Eamples can be run locally using UI5 tooling

• only reportin alerts that are specific to UI5

• custom Control
• classic string-based API
• renderer property is set to a render function

• custom Control
• accessing Control properties byId

• custom Control
• DOM-like API
• renderer property is set to an object literal

• custom Control declared using JQuery

• custom Control
• DOM-like API
• the type of the control property text is set to int (sanitized)
• the sanitizer is not affecting the log-injection

• custom Control
• DOM-like API
• the value of text is sanitized using sap/base/security/encodeXML

User input flows to XSS sinks via event handlers in 4 different ways:

1. function sap.ui.model.Model#getProperty
2. model property passed as handler parameter
3. function sap.ui.base.Event#getSource#getValue
4. accessing properties byId

• sap.ui.core.HTML Control
• sanitization using the sanitizeContent property
• sanitization disabled by programmatically setting the sanitizeContent property to false

• sap.ui.core.HTML Control
• dataflow in the controller

• sap.ui.core.HTML Control
• one-way binding makes the xss fail

• sap.ui.core.HTML Control
• controller model as external .json file

• sap.ui.core.mvc.HTMLView View

• control accessed indirectly

• sap.ui.core.mvc.JSView View
• sanitization using the sanitizeContent property

• sap.ui.core.mvc.JSONView View
• sanitization using the sanitizeContent property

• renderer property is set to a class name (a string)
• Renderer implemented in it's own module

• Uses the sap.ui.webc.main.MultiInput control

• only reportin alerts that are specific to UI5

• sap.ui.core.HTML Control
• dataflow in the controller

• custom Control
• DOM-like API
• the type of the control property text is set to int (sanitized)
• the sanitizer is not affecting the log-injection

• the value of text is sanitized using sap/base/security/encodeXML
• the sanitizer is not affecting the log-injection

• frameOptions = allow

• frameOptions not set

• frameOptions = deny