Skip to main content

Reference

 

OutSystems

Sanitization API

API that provides methods to avoid code injection in HTML, Javascript and SQL snippets that need to include untrusted content, i.e. content gathered from end-users.

Summary

Action Description
SanitizeHtml Sanitizes the provided HTML using the OWASP Java HTML Sanitizer Project. The implemented policy follows the example in https://github.com/OWASP/java-html-s...cyExample.java.
VerifyJavascriptLiteral Ensure the provided javascript only contains literals. If it contains anything else, an INVALID JAVASCRIPT LITERAL exception is thrown.
VerifySqlLiteral Ensures the provided snippet only contains valid SQL literals. If it contains anything else, an "INVALID SQL LITERAL" exception is thrown and nothing is returned.
The following items are considered valid literals:
- Non-Unicode and Unicode (prefix it with an uppercase N) strings surrounded by single quotes,'.
(for example '1900-01-01'; 'Don''t panic'; N'hello'; 'true')
- Integers and decimals,
(for example (1); 2.5; -4)
- Null, (for example null; NULL; Null)
- Whitespaces
- Lists containing the previous literals,
(for example 'fact',12,0; ('apple','banana','durian'))
- Any combination of the previous literals

Actions

SanitizeHtml

Sanitizes the provided HTML using the OWASP Java HTML Sanitizer Project. The implemented policy follows the example in https://github.com/OWASP/java-html-s...cyExample.java.

Inputs

Html
Type: Text. Mandatory.
The HTML to sanitize.

Outputs

SanitizedHtml
Type: Text.
The sanitized HTML.

VerifyJavascriptLiteral

Ensure the provided javascript only contains literals. If it contains anything else, an INVALID JAVASCRIPT LITERAL exception is thrown.

Inputs

JavascriptLiteral
Type: Text. Mandatory.
The JavaScript literal to sanitize.

Outputs

SanitizedJavascriptLiteral
Type: Text.
The sanitized JavaScript literal.

VerifySqlLiteral

Ensures the provided snippet only contains valid SQL literals. If it contains anything else, an "INVALID SQL LITERAL" exception is thrown and nothing is returned.

The following items are considered valid literals:

- Non-Unicode and Unicode (prefix it with an uppercase N) strings surrounded by single quotes,'.

(for example '1900-01-01'; 'Don''t panic'; N'hello'; 'true')

- Integers and decimals,

(for example (1); 2.5; -4)

- Null, (for example null; NULL; Null)

- Whitespaces

- Lists containing the previous literals,

(for example 'fact',12,0; ('apple','banana','durian'))

- Any combination of the previous literals

Inputs

SqlLiteral
Type: Text. Mandatory.
The SQL to sanitize.

Outputs

SanitizedSqlLiteral
Type: Text.
The sanitized SQL.
  • Was this article helpful?