Skip to main content

 

Reference

 

OutSystems

Sanitization API

API that provides methods to help you avoid code injection in HTML, JavaScript and SQL snippets that need to include untrusted content, i.e. content gathered from end-users.

Summary

Action Description
BuildSafe_InClauseIntegerList Returns a comma-delimited text value containing all the integer values provided as input. The returned value can be safely used in a SQL "IN" clause.
BuildSafe_InClauseTextList Returns a comma-delimited text value with the encoded version of all the text values provided as input. The returned value can be safely used in a SQL "IN" clause.
SanitizeHtml Sanitizes the provided HTML using the OWASP Java HTML Sanitizer Project. The implemented policy follows the example in https://github.com/OWASP/java-html-s...cyExample.java.
VerifyJavascriptLiteral Ensure the provided JavaScript only contains literals. If it contains anything else, an INVALID JAVASCRIPT LITERAL exception is thrown.
VerifySqlLiteral Ensure the provided SQL only contains literals. If it contains anything else, an INVALID SQL LITERAL exception is thrown.
Structure Description
IntegerLiteral Simple structure holding a long integer value. Used as a record definition when providing a list of IntegerLiteral records to include in a SQL "IN" clause.
TextLiteral Simple structure holding a text value. Used as a record definition when providing a list of TextLiteral records to include in a SQL "IN" clause.

Actions

BuildSafe_InClauseIntegerList

Returns a comma-delimited text value containing all the integer values provided as input. The returned value can be safely used in a SQL "IN" clause.

Inputs

ValueList
Type: RecordList of IntegerLiteral. Mandatory.
List of integer values to include in the returned value.

Outputs

Output
Type: Text.
A string containing comma-separated integer values to be used in a SQL "IN" clause.

BuildSafe_InClauseTextList

Returns a comma-delimited text value with the encoded version of all the text values provided as input. The returned value can be safely used in a SQL "IN" clause.

Inputs

ValueList
Type: RecordList of TextLiteral. Mandatory.
List of text values to include in the returned value.

Outputs

Output
Type: Text.
A string containing a set of encoded text values separated by commas to be used in a SQL "IN" clause.

SanitizeHtml

Sanitizes the provided HTML using the OWASP Java HTML Sanitizer Project. The implemented policy follows the example in https://github.com/OWASP/java-html-s...cyExample.java.

Inputs

Html
Type: Text. Mandatory.
The HTML to sanitize.

Outputs

SanitizedHtml
Type: Text.
The sanitized HTML.

VerifyJavascriptLiteral

Ensures the provided JavaScript only contains literals. If it contains anything else, an INVALID JAVASCRIPT LITERAL exception is thrown.

Inputs

JavascriptLiteral
Type: Text. Mandatory.
The JavaScript literal to sanitize.

Outputs

SanitizedJavascriptLiteral
Type: Text.
The sanitized JavaScript literal.

VerifySqlLiteral

Ensures the provided SQL only contains literals. If it contains anything else, an INVALID SQL LITERAL exception is thrown.

Inputs

SqlLiteral
Type: Text. Mandatory.
The SQL to sanitize.

Outputs

SanitizedSqlLiteral
Type: Text.
The sanitized SQL.

Structures

IntegerLiteral

Simple structure holding a long integer value. Used as a record definition when providing a list of IntegerLiteral records to include in a SQL "IN" clause.

Attributes

Value
Type: LongInteger. Mandatory.
An integer value to consider when creating a SQL "IN" clause.

TextLiteral

Simple structure holding a text value. Used as a record definition when providing a list of TextLiteral records to include in a SQL "IN" clause.

Attributes

Value
Type: Text (2000). Mandatory.
A text value to consider when creating a SQL "IN" clause.
  • Was this article helpful?