Starting in OutSystems Platform version 9.1.501.0, this API provides methods to avoid code injection in HTML, JavaScript and SQL snippets that need to include untrusted content, i.e., content gathered from end-users.

Summary

Actions
SanitizeHtml Sanitizes the provided HTML using the OWASP Java HTML Sanitizer Project. The implemented policy follows the example in https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/examples/EbayPolicyExample.java.
VerifyJavascriptLiteral Ensure the provided JavaScript only contains literals. If it contains anything else, an INVALID JAVASCRIPT LITERAL exception is thrown.
VerifySqlLiteral Ensure the provided SQL only contains literals. If it contains anything else, an INVALID SQL LITERAL exception is thrown.

Actions

SanitizeHtml

Sanitizes the provided HTML using the OWASP Java HTML Sanitizer Project. The implemented policy follows the example in https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/examples/EbayPolicyExample.java.

Inputs


Html
Type: Text. Mandatory.
The HTML to sanitize.

Outputs


SanitizedHtml
Type: Text.
The sanitized HTML.
 
The SanitizeHtml function allows only the following HTML elements and attributes in the SanitizedHtml output:

HTML Element Valid attributes Remarks
a

href

nohref

name

onfocus

onblur

onclick

onmousedown

onmouseup

href - must be a well-formed on-site or off-site URL

 

name - must be a valid HTML name

 

onfocus, onblur, onclick, onmousedown, onmouseup - must be  history.go(-1), i.e., the JavaScript command to go to the previous page

col, colgroup

align

valign

charoff

char

span

width

align - must be one of center | left | right | justify | char

 

valign - must be one of baseline | bottom | middle | top

 

charoff, span, width - must be a number or a percentage

 

char - must be one char

font

color

face

size

color - must be an HTML color name or code

 

face - must be a valid font-face name

 

size - must be a number

img

src

name

alt

border

hspace

vspace

height

width

align

src - must be a well-formed on-site or off-site URL

 

name - must be a valid HTML name

 

alt - must be must be a well-formed paragraph of text

 

border, hspace, vspace - must be a number

 

height, width - must be a number or a percentage

 

align - must be one of center | left | right | justify | char

label

for

for - must be a well-formed HTML ID

p

align

align - must be one of center | left | right | justify | char

table

border

cellpadding

cellspacing

bgcolor

background

align

noresize

height

width

border, cellpadding, cellspacing - must be a number

 

bgcolor - must be an HTML color name or code

 

background - must be a well-formed on-site URL

 

align - must be one of center | left | right | justify | char

 

height, width - must be a number or a percentage

 

char - must be one char

tbody, tfoot, thead

align

valign

charoff

char

align - must be one of center | left | right | justify | char

 

valign - must be one of baseline | bottom | middle | top

 

charoff - must be a number or a percentage

td

th

background

bgcolor

abbr

axis

headers

scope

nowrap

height

width

align

valign

charoff

char

colspan

background - must be a well-formed on-site URL

 

bgcolor - must be an HTML color name or code

 

abbr - must be must be a well-formed paragraph of text

axis, headers - must be a valid HTML name

 

scope - must be one of col | row | colgroup | rowgroup

 

height, width, charoff - must be a number or a percentage

 

align - must be one of center | left | right | justify | char

 

valign - must be one of baseline | bottom | middle | top

 

char - must be one char

 

colspan - must be a number

tr

background

height

width

align

valign

charoff

char

background - must be a well-formed on-site URL

 

height, width, charoff - must be a number or a percentage

 

valign - must be one of baseline | bottom | middle | top

 

align - must be one of center | left | right | justify | char

 

char - must be one char

b, blockquote, br, center, cite, dd, div, dl, dt, fieldset, h1, h2, h3, h4, h5, h6, hr, i, legend, li, map, noscript, ol, samp, span, sub, sup, strike, u, ul

- -
-

These attributes are valid for all accepted elements:

 

id

class

lang

title

id - must be a well-formed HTML ID

 

class - must be a well-formed HTML CLASS name

 

lang - must be a well-formed HTML language

 

title - must be a well-formed HTML title

VerifyJavascriptLiteral

Ensure the provided JavaScript only contains literals. If it contains anything else, an INVALID JAVASCRIPT LITERAL exception is thrown.

Inputs


JavascriptLiteral
Type: Text. Mandatory.
The JavaScript literal to sanitize.

Outputs


SanitizedJavascriptLiteral
Type: Text.
The sanitized JavaScript literal.

VerifySqlLiteral

Ensure the provided SQL only contains literals. If it contains anything else, an INVALID SQL LITERAL exception is thrown.

Inputs


SqlLiteral
Type: Text. Mandatory.
The SQL to sanitize.

Outputs


SanitizedSqlLiteral
Type: Text.
The sanitized SQL.

See Also

About APIs