Skip to main content

Reference

 

OutSystems

Code Injection Warning

The Code Injection warning is issued in the following situations:

  • Please ensure your argument is correctly encoded to avoid SQL injection security flaws

    The argument mentioned in the warning has a value that comes from the end-user input and that is susceptible to contain malicious content.

    Do one of the following:

    • Disable the 'Expand Inline' property of the 'Query Parameter';

    • Use the EncodeSql built-in function to replace all SQL reserved characters by their escaped counterpart, so that they can be included in a SQL string;

    • Use the VerifySqlLiteral function from the Sanitization extension module to ensure that the value entered by the end-user only contains valid SQL literals.

  • Please ensure your expression is correctly encoded or sanitized to avoid HTML injection security flaws

    The expression mentioned in the warning has a value that comes from the end-user input and that is susceptible to contain malicious content.

    Do one of the following:

    • Enable the 'Escape Content' property of the expression

    • Use the EncodeHtml built-in function to replace all HTML reserved characters by their escaped counterpart;

    • Use the EncodeUrl built-in function to replace all URL invalid characters by their percent-encoded counterpart;

    • Use the EncodeJavascript built-in function to replace all JavaScript reserved characters by their escaped counterpart so they can be included in a JavaScript string;

    • Use the SanitizeHtml function from the Sanitization extension module to ensure that the value entered by the end-user does not contain any malicious content.

  • Please ensure your expression is correctly encoded to avoid JavaScript injection security flaws

    The expression mentioned in the warning has a value that comes from the end-user input and that is susceptible to contain malicious content.

    Do one of the following:

    • Use the EncodeJavascript built-in function to replace all JavaScript reserved characters by their escaped counterpart;

    • Use the VerifyJavascriptLiteral function from the Sanitization extension module to ensure that the value entered by the end-user only contains valid JavaScript or JSON literals.

  • Was this article helpful?