The OpenUI5 framework provides a client-side API to manage a white list for URLs. This whitelist can be used to validate arbitrary URLs if they are permitted or not.
Internal examples of how controls can use this feature are those controls which accept arbitrary HTML content like sap.ui.core.HTML. This control uses the URL white list when a check (sanitization) is performed on the content. URLs inside their content are then automatically removed, except if they are listed in the URL whitelist. The option to sanitize the value can be enabled or disabled in the respective control properly via the HTML.sanitizeContent property. For the HTML control it is disabled by default. When adding a path to the white list be aware to add a “/” at the start of the path if necessary, so “/index.epx” would be the correct entry instead of “index.epx”. The last example below shows this.
The whitelist can be maintained with the following API:
jQuery.sap.addUrlWhitelist
jQuery.sap.clearUrlWhitelist
jQuery.sap.getUrlWhitelist
jQuery.sap.removeUrlWhitelist
Here is an example how valid URLs can be added to the white list:
// jQuery.sap.addUrlWhitelist(/* protocol */ undefined, /* host */ undefined, /* port */ undefined, /* path */ undefined);
jQuery.sap.addUrlWhitelist(undefined, "www.sap.com");
jQuery.sap.addUrlWhitelist("https", "sdn.sap.com");
jQuery.sap.addUrlWhitelist(undefined, "sap.de", "1080");A URL can be validated by using the following API: jQuerysapvalidateUrl.
Here is an example how a given URL is validated against the before maintained white list:
jQuery.sap.validateUrl("http://www.sap.com"); // => true
jQuery.sap.validateUrl("http://sdn.sap.com"); // => false (wrong protocol)
jQuery.sap.validateUrl("https://sdn.sap.com"); // => true
jQuery.sap.validateUrl("ftp://sap.de:1080/anyftpfolder"); // => trueIf no whitelist is maintained the URL validity check also basically checks the URL for being defined in a valid format.