Why we use un-escaped expression? is it only meant for javascript and html only? and how somebody can inject the code with unescaped expression? Please explain me in detail.

Hello Lovish,

I think if you google the internet there is a lot of information to be found what html injection, javascript injection and SQL injection mean and how they can be harmfully used to perfom unattended actions in your program. Here is an example for each type of injection.

https://www.softwaretestinghelp.com/javascript-injection-tutorial/

https://www.hackingarticles.in/beginner-guide-html-injection/

https://www.w3schools.com/sql/sql_injection.asp

Regards,

Daniel

Hi Lovish,

There are a few valid use cases for unescaped expressions. For example:

  • You may use unescaped expressions when you have HTML content saved on your database, that you want to display on a screen. A typical scenario where this happens, is when you an input with a rich text editor, such as CKEditor.
  • You want to write some JavaScript that makes use of screen variables. This is extremely common when you create widgets like a DatePicker, InputMasks, etc.
  • You want to control completely the HTML of some widget you are creating based on a source from the internet. This is also extremely common when you are building a theme that's not based on one of the OutSystems templates.

The first example, however, exposes your application to HTML and JavaScript injection, because a malicious user can write code in your rich text editor so that it captures user inputs or injects malicious ads into your application. So, when you save the content of a rich text input to your database, you need to first sanitise it, to make sure it doesn't have any malicious code (this isn't trivial to do).

I hope this explanation helps.