DXP22.10.0010 Changelog

22 10 10 patch main 0
October 19, 2023

CSRF for multi-browser-tab Scenarios. RXSS Vulnerability for API Factory calls with wrong RFC Destination. Clear passwordText Field in Mobile Clients. PWA enabled Launchpad with external Alias. Launchpad Dialog Header. Dynamic AJAX ID Check. Dynamic hideOnNoData property. Numpad keyboard. Hide Header. No Cards Fiori Style Display. Sandbox URL Tiles. DYL Language Support. DYL Language Format. Browser Default Language. Forgot Password Link. Modal Dialog. Compact Toolbars. System Layouts Mobile Status Bar. Changing Language in PWA. Open Apps in Launchpad Header. PDFJS Updated. Non Unicode Systems. API Tile Info. Manage Screen Scroll. ABAP Error in Launchpad Language List. Left Menu Width. AppStorage Fallback Detection on iPad. Time Zone Dialog. Undefined Model. Notification Icon State. Tiles in tile groups with action. Hide Side Menu. Live Tilegroup Applications. Auto Lock in PWA and Mobile Client. Disable Context Menu. Card Icon Placement. Customization right-Click. Applid Params in Dynamic Tiles. Delete Policy. Search Field Design. User License Table. Mobile Client Catalog Versions. Busy Indicator. Video files in Media Library. Column Popin. Default values for search parameters. Error on Tile Action Type ABAP Report when using ABAP Query. Wrong boolean handling when data element name is substring of boolean data element names. Dump OBJECTS_OBJREF_NOT_ASSIGNED_NO when calling extension app. VizFrame properties lost in application extensions. Translation Export. Planning Calendar. Button and ObjectStatus property values. Default theme. Url generation & ICF subnode. afterUnlock Enhancement did not call when offline. Lock request message changed in SAP S/4 HANA 2021 and newer. PWA OAuth without Session "Create Login Cookies" enabled fails. GetDate

From October 31st (2023) WebSQL will no longer be available in the updated versions of Chrome. This also applies to all Chromium-based browsers like Edge, Opera, etc. This patch will address this deprecation by offering a replacement solution using SQLite and a fallback solution using our /NEPTUNE/IF_NAD_SERVER_EXIT enhancement framework.

You can read more about that topic here:


CSRF for multi-browser-tab Scenarios (05-19336)

We added a new option that allows to run CSRF Protection in multi-browser-tab scenarios.

RXSS Vulnerability for API Factory calls with wrong RFC Destination (20193)

When calling API Factory with parameter $RFCDEST and that value contained JS it could have been possible to have a XSS scenario. Now we escape the value to avoid this.

22 10 0010 csrf existence
Clear passwordText Field in Mobile Clients (06-19277)

When running a Mobile Client with SAP Username/Password the clear Text Password Field has not been cleared. Now after successful or failed logon the cleartext Password Field is cleared


PWA enabled Launchpad with external Alias (19775)

When using a PWA enabled Launchpad and an external alias the dynamic tile data was failing.

Launchpad Dialog Header (2)

In custom themes build on older 1.108 versions, the header in some dialogs would have a small transparent gap.

Dynamic AJAX ID Check (8-19545)

When saving the cockpit will now check that both dynamic application and AJAX ID are set if the tile type is set to dynamic.

Dynamic hideOnNoData property (9-19568)

The hideOnNoData property was introduced in UI5 1.84. A check for lower UI5 versions has been added, so that the property will only be applied when the launchpad is running UI5 1.84 and above.

Numpad keyboard (19595)

The keyboard numpad can now also control the launchpad pin code screen.

Hide Header (18-19610,19887,20103)

When setting a tile to not show header, the launchpad content height would not be adjusted, leaving a gab at the bottom of the page.

No Cards Fiori Style Display (19617)

A section (sub-tilegroup) header would still be visible even though the section did not include any tiles.

Sandbox URL Tiles (65-20019)

When a tile has a URL action (SAP Fiori App) and the opening is set to be done inline in the launchpad, the iFrame where the URL runs are now sandboxes, so that navigation happening inside the iFrame will not be parsed on to the parent launchpad.

DYL Language Support (25-19844)

Support for the DYL parameter has never been 100%. Now that the DYL parameter is really being considered, this can cause problems in systems where the DYL parameter is set, but was never used. If you want to enable the usage of the DYL parameter, this needs to be enabled in the Cockpit Settings Service.

22 10 0010 25 19844 DYL Language Support
DYL Language Format (25-19645)

If a launchpad is set to use the default user language, the DYL user parameter will be read. If the DYL parameter was not correctly formatted, a non-existing language was used in the launchpad language settings. It would cause the launchpad to crash in some circumstances. Now, the DYL parameter must match an installed 1-char language perfectly, with correct case, if not, the DYL parameter will be ignored.

Browser Default Language

If a launchpad was set to use default user language or browser default language and the SAP user had no language set in any of the many possible settings, the browser language was not chosen correctly. The system’s default language would be set even though the browser language was installed in the system.

Forgot Password Link (28-19688,19920)

The forgot a password link in the mobile client logon screen would not open correctly.

Modal Dialog (19692)

When an application includes documentation, the documentation application would set the global dialog backdrop canvas to not-visible, causing other dialogs to not be modal.

Compact Toolbars (31-19694)

The launchpad CSS for compact toolbars was not targeting a specific class, causing the styling to be applied to customer applications too.

System Layouts Mobile Status Bar (18976)

The Neptune system layouts were missing setting for mobile status bar colors.

Changing Language in PWA

When changing language in a PWA, application views would still be shown in the old language until the PA was reloaded. Now applications views will be requested based on the new language.

Open Apps in Launchpad Header (36-19745)

The event controlling window width did not handle open apps in the launchpad header, causing open app icons to disappear when resizing the window.

PDFJS Updated (39-19756)

Showing PDF files on iOS 16+ using the PDFView would result in a blank screen. The PDFJS library has been updated to v.3.8.162 which solves the problem.

Non Unicode Systems (42-19773)

If a system is not a Unicode system, the Neptune server will not encode application Javascript view data, but instead send the application JS view data in pure text. This will ensure that any non-Unicode characters in Neptune applications will not cause the JSON encoding to crash.

API Tile Info (44-19782,19865)

Updating dynamic tiles in the launchpad with initial values, like an empty string or zero would not always work. The interface for the API_TILE_INFO method in class /NEPTUNE/CL_NAD_SERVER has been changed to receive a data structure and an update structure, like in a call to a BAPI function. All the old single value attributes has been deprecated. The old individual attributes can still be used, but parsing initial values into these individual attributes, might not be parsed on to the frontend dynamic tiles. And static values defined in the cockpit tile configuration might be overwritten. New interface usage example. Your code should, of course, set all this dynamically:

22 10 0010 API Tile Info

22 10 0010 API Tile Info2


22 10 0010 API Tile Info3

Manage Screen Scroll (48-19836)

The dialog in the maintained screen was not set to scroll vertically. With a lot of screens in the launchpad, the last ones were not reachable.

22 10 0010 Manage Screen Scroll

ABAP Error in Launchpad Language List (49-19839)

An error where access to an unassigned object in /NEPTUNE/CL_NAD_APPCACHE→LANGUAGE_LIST would occur in rare cases.

Left Menu Width (53-19852)

If the launchpad is set up to have a lot of levels, the left side menu would be set to a width that fits the deepest level. That could be way to wide if only one or two levels were opened. Now the menu width will be change each time a menu item is expanded or contracted.

22 10 0010 Left Menu Width1

22 10 0010 Left Menu Width2

AppStorage Fallback Detection on iPad (57-19895)

When running the Neptune Launchpad in Safari or Chrome on an iPad, the WebSQL fallback detection was not good enough in the minified Core.js script including the AppStorage script. Instead of falling back to IndexedDB, AppStorage would crash.

Time Zone Dialog (59-19971)

The table with time zones would not display all time zones, if additional time zones were configured in the SAP system.

Undefined Model (61-20005)

If the user closed an app before an Ajax call would return, the Ajax success handler would try to set data to a null model. The check for destroyed models in the Ajax success handler has been improved to check for null too.

Notification Icon State (63-19965)

In some cases, the state would not be present in the model data when creating the notification list in the Neptune Launchpad. This would result in a Javascript error and an empty notification list.

Tiles in tile groups with action (20045)

If a tilegroup has an application added as an action, this will open the application inside the tilegroup and fill the entire tilegroup. It’s not possible to add tiles to a such tilegroup. But if tiles were added before the action was set, these tiles would show up in the menu. Some might have seen this as a feature, but this was not the intention of the tilegroup live application action. Now the tiles will not be selected from the SAP backend if an action has been added to the tilegroup.

Hide Side Menu (68-20038)

A bug in the Cockpit Launchpad & Mobile Client tools set the display of the navigation side menu based on the wrong parameters, causing the side menu to be shown in some circumstances where it shouldn’t.

Live Tilegroup Applications (69-20063)

Menu navigation items set on tile groups with live application actions would not behave correctly. Multiple navigation items would be opened, and the close button would not close the opened application. Icons set on the navigation items will now be used in in the left menu for menu items and open applications. And for open applications in the left navigation and the section for open applications in the launchpad header.

Auto Lock in PWA and Mobile Client (70-19992)

Setting a timeout in PWA and Mobile Client configuration to control when a device should be locked, didn’t kick in before the device was suspended. If the screen was never turned of, the device would never lock. A new keyboard and mouse detection has been added, so that the timer begins to count down on the last input on the device.

Disable Context Menu (71-19902)

Some older touch enabled Windows-based devices do not register right click and long press correctly, so that a long press will be interpreted as a normal click. This can cause a conflict with the new customization framework. An option to turn of right click and long press detection has therefore been added to launchpad and mobile client configuration. Tick this setting of if your cooperation uses any device where this is the case.

Card Icon Placement (78)

In some cases a tile would not have an icon placement defined, causing the icon on the card not to load.

Mobile Client & Launchpad

Customization right-Click (79-20018)

Double click and long press fires a range of mouse events. The mouseup event was not fired on the second click in double click. When clicking on a tile, this issue would result in the opening of the customization dialog in a strange mode, were the screen would be blured.

Applid Params in Dynamic Tiles (85-20171)

A standard tile action can be to open a Neptune application. It’s possible to define parameters that will be sent into the applications init and beforeDisplay event handlers. If the tile type is dynamic, a special tile configuration is added independent of the regular application defined in the tile action. These two concepts have now been somewhat combined. Application parameters defined on the regular tile action will be parsed on to the application defined in the dynamic tile configuration. This way it’s possible to easily indentify the origin of the dynamic request. The last update timestamp is already beeing send with the request in the Ajax value parameter. If application parameters have been defined in the tile action configuration, these will de concatenated in the ajax value seperated by ||. You will have to split the ajax value to get the application parameters.

22 10 0010 85 20171 1

22 10 0010 85 20171 2


Delete Policy (4-19523)

When deleting a Policy in the cockpit, the policy list was not updated after the deletion.

Search Field Design (20)

The search field in the Neptune Cockpit has been updated to fit into the Horizon Themes in UI5 1.108.

User License Table (19675)

Data in the Licensed User table in the Neptune Cockpit was not updated frequently enough.

Mobile Client Catalog Versions (77-19910)

If a mobile client was published, it was always the latest build that would be shown in the Neptune Catalog. Now the active version is selcted when the list of mobile clients are build in the catalog application.


Busy Indicator (15-19586)

The busy indicator in the sync dialog would only be visible in the first call to AppSyncStart.

MIME Handler

Video files in Media Library (38-19733)

The Neptune Media Library now supports video files in .mp4 .avi, .mov & .wmv format.

F4 Search Help

Column Popin (51-19820)

In some search helps, the demandPopin property would be set to true on all columns. On small screens, all the columns would popin making the select box rendered incorrectly.

Default values for search parameters (83-20155)

Corrected a bug where the default values for the search help parameters would not be read if the parameters were not visible.

ALV Report

Error on Tile Action Type ABAP Report when using ABAP Query (SQ01) (07-19415)

When you are using a Tile with action Type "ABAP Report" and passing a ABAP Query Report (SQ01) it could have happened that you would get an error when running the report. This was due to the fact that the ALV Fieldcatalogue has not always been determined correctly.


Wrong boolean handling when data element name is substring of boolean data element names (13-19583)

If you were using a data element that should not be considered as JSON boolean and that would have as a name a substring of one of the data elements that are properly treated as boolean, then the data element was wrongly treated as boolean. Example: You have the following data elements defined:

Data element name Domain should be treated as boolean?







Additionally, you would have a structure that contains both data elements. Then it could have happened that ZGH_D_CHAR is considered as boolean value during serialization/deserialization which is wrong (because its name is a substring of ZGH_D_CHAR_BOOLEAN, which is a valid boolean).

Extension Apps

Dump OBJECTS_OBJREF_NOT_ASSIGNED_NO when calling extension app (15-19585)

Under certain conditions it could have happened that calling an extension app would lead to an exception in /NEPTUNE/CL_NAD_SERVER→UI5_ATTRIBUTES. The setup needed to be as follows: Inside the extension app you would add an "Add" extension to a ui5 control. Afterward, you would add a "Change" extension. Then you would define a attribute in the "Change" extension that is not defined or default in the base app.

VizFrame properties lost in application extensions (16-19607)

When using VizFrame properties in one app and an extension was created, this component was not loaded correctly into the extension app. This was now been fixed.

App Designer

Translation Export (21-19631)

Texts longer than 100 characters were being truncated at 100 characters. Now the full text (up to 255 characters) will be exported

Planning Calendar (1)

Appointments & Interval Header bindings are now working with generic models. Multi model support will be added in DXP23.

Button and ObjectStatus property values (3-19525)

The value table for the sap.m.Button#type property and sap.m.ObjectStatus#state, have been updated with the latest values.

Default theme

Default theme is now preselected also when creating an app in the App Designer in SAP GUI.

Url generation & ICF subnode (73-20020)

Both app designers (Cockpit and SAP GUI) have now been aligned for uppercase/lowercase usage for saving setting "Allow ICF subnode" as well as the url that is generated when running an app standalone from the App Designer. Activating an app with this ICF setting in the Cockpit app designer could in certain cases give the error "Internal Server Error: APPLID not found".


afterUnlock Enhancement did not call when offline (37-19620)

When unlocking (pin code) a PWA enabled launchpad or a Mobile Client and you are offline, the afterUnlock Enhancement has not been called. This is now resolved. The ajax call to fetch changes to tile groups, tiles and apps is now skipped during offline re-authentication. In certain vpn scenarios, this call could result in a long timeout.


Lock request message changed in SAP S/4 HANA 2021 and newer (45-19793)

Since SAP version S/4 HANA 2021, the message returned when an object is locked has been changed to contain two variables. For these newer SAP versions, the message will now show the key of the locked object in addition to whom the object is locked by.


PWA OAuth without Session "Create Login Cookies" enabled fails (58-19842)

When you were using a PWA enabled Launchpad that uses OAuth as an authentication mechanism that didn’t work unless you enabled the checkbox "Create Login Cookies" in the Launchpad settings. This is now working also without Login Cookies.


GetDate (87-20204)

neptune.Formatter.getDate was using the format parameter and not the pattern parameter to get a date instance based on the yyyyMMdd pattern.