The Code Injection warning is issued in the following situations:

Do one of the following: disable the 'Expand Inline' property of the 'Query Parameter'; use the EncodeSql built-in function to replace all SQL reserved characters by their escaped counterpart, so that they can be included in a SQL string; or use the VerifySqlLiteral function from the Sanitization extension module to ensure that the value entered by the end-user only contains valid SQL literals.

Do one of the following: enable the 'Escape Content' property of the expression; use the EncodeHtml built-in function to replace all HTML reserved characters by their escaped counterpart; use the EncodeUrl built-in function to replace all URL invalid characters by their percent-encoded counterpart; use the EncodeJavascript built-in function to replace all JavaScript reserved characters by their escaped counterpart so they can be included in a JavaScript string; or use the SanitizeHtml function from the Sanitization extension module to ensure that the value entered by the end-user does not contain any malicious content.

Do one of the following: use the EncodeJavascript built-in function to replace all JavaScript reserved characters by their escaped counterpart; or use the VerifyJavascriptLiteral function from the Sanitization extension module to ensure that the value entered by the end-user only contains valid JavaScript or JSON literals.

See Also

Sanitization API | About Warning Messages