Skip to main content
OutSystems

OutSystems 10 Security Warnings

Overview

In OutSystems 10 we introduced security warnings that can be seen in Service Studio as TrueChange warnings and in the deployment log while publishing an eSpace through Service Center.

These warnings appear when the platform detects insecure application patterns that can introduce vulnerabilities. Most of these vulnerabilities can be avoided or mitigated with OutSystems built-in tools. In this document, we provide you with a direct mapping between the platform warning, the insecure pattern it identifies and solutions for the identified vulnerability.

Open Redirect

More information about Open Redirect attacks and the consequences of having this vulnerability.

Warning: "Please enclose input parameters with a ReplaceURLDomain() function from HttpRequestHandler to avoid open redirect vulnerabilities."

Pattern: Having screen input parameters that represent URLs and are used in redirection nodes. If this input is not being validated, it can contain the URL for a malicious website.

Solution: As suggested in the warning message, you can enclose the input parameter with the ReplaceURLDomain() function that will replace any domain in the URL with your own domain, guaranteeing that the URL will point to a location inside your domain (even if that location doesn't exist). If you really need to allow redirections to external domains, you can keep a whitelist of valid domains and develop your own logic to check if a URL belongs to a whitelisted domain.

SQL injection

Warning: "Please ensure your argument is correctly encoded to avoid SQL injection security flaws."

Pattern: Having screen input parameters that are directly used as parameters in Aggregates and/or Advanced Queries, without being encoded or escaped.

Solution: Enclose the input parameters with the EncodeSQL() function, which will escape and/or encode characters in order to avoid SQL injection attacks.

Cross-Site Scripting (XSS)

More information about XSS attacks and the consequences of having this vulnerability.

Information on how the OutSystems platform offers tools to overcome XSS vulnerabilities.

Javascript and HTML injections

Warning: "Please ensure your expression is correctly encoded to avoid JavaScript injection security flaws." / "Please ensure your expression is correctly encoded or sanitized to avoid HTML injection security flaws."

Pattern: Having screen input parameters or variables that are directly output to expressions which are transformed into HTML or Javascript by the platform, without encoding or escaping the variables' values.

Solution: Enclose the input parameters and variables with the EncodeJavascript() or EncodeHTML() functions, depending on the situation, which will escape and/or encode characters in order to avoid Javascript and HTML injection attacks.