Code injection is all about sending untrusted data into a code interpreter. The most common scenarios are SQL Injection and XML Injection.
The following example from OWASP documentation illustrates how an SQL injection attack can be used to fetch all accounts from a database:
Cross Site Scripting
Cross Site Scripting (XSS) occurs when there is an attempt of sending untrusted data into the web browser (renderer). It is one of the most common web application vulnerabilities.
The following example from OWASP documentation illustrates how an XSS attack can be used to hijack a user session and impersonate him:
How to do it with OutSystems Platform
In general, the recommended strategy is to escape content.
When you need to explicitly turn off the default content escaping feature of OutSystems Platform, the corresponding actions are recommended:
Escape expressions in screens
Expand inline parameters in advanced queries
Use function EncodeSQL()
Manually build URLs in redirects with dynamic URLs
Use function EncodeURL()
To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.