How to remove HTML Injection warning

In Outsystem getting HTML injection warning how to resolve it? Please check the below code. 


SyntaxEditor Code Snippet

"
<div>
    <div class='fixedHeight' id='jsoneditor'></div>
 </div>

<script>
 var container = document.getElementById('jsoneditor');
  var options = {
     mode: 'code',
    modes: ['code','text'], // allowed modes
    onError: function (err) {
      alert(err.toString());
    }
};
  var editor = new JSONEditor(container, options);
 var json =  "+JosnRequest+"
 editor.set(json);
</script>
"

Hi,

You need to use EncodeHtml(JosnRequest). keep in mind this will remove all the html tags

Regards,

Marcelo


Hi, Marcelo


 I have tried it. in browser JSON editor it won't render. Amusing external jquery plugin for JSON editor is there any other solution to remove this warning?


 Regards,

Sachin

HI,

To remove the warning this is the solution. Since you can't I recommend you to make yourself some sanitization for security reasons to make sure no one inserts code in that variable that can compromise your system.

Regards,

Marcelo

Solution

Is not the best practice but you can hide the warning if you want:

Pay attention don't use EncodeHTML() for the all text but only for your variable:

  var editor = new JSONEditor(container, options);
 var json =  "+EncodeHTML(JosnRequest)+"
 editor.set(json);
</script>
"

You have more info about EncodeHTML function here.

Solution

Luís Santos Monteiro wrote:

Is not the best practice but you can hide the warning if you want:

Pay attention don't use EncodeHTML() for the all text but only for your variable:

  var editor = new JSONEditor(container, options);
 var json =  "+EncodeHTML(JosnRequest)+"
 editor.set(json);
</script>
"

You have more info about EncodeHTML function here.


Hi 

I have tried the same thing 

var json =  "+EncodeHTML(JosnRequest)+"

code is not exicuting. HTML is not rendering in the front end.