Hi,
We have modified login page with branding customization and able to cross-check issue with url
https://<host>:<port>/irj/portal?j_username=Test&"onmouseover="location.href='https://www.google.com'"
which doesn't allow user to enter password.
1. Encoding to all Request Parameters or only to few parameters on the login page?
2. Is decoding required again? If so, how and where it should be?
Please let me know how this com.sap.security.core.server.csi.XSSEncoder can be used for the customized login page with any samples.