Hi,

JavaScript Injection


Ensure the expression is protected by using EncodeJavaScript(), or VerifyJavascriptLiteral() from the Sanitization extension, to avoid security flaws.

how can I resolve the above warning?

PS: when I use  below code the warning will go off but, code is not executing


SyntaxEditor Code Snippet

"var a=("+EncodeJavascript(Var1)+")

for(var key in a){
if (!a.hasOwnProperty(key)) continue;

        console.log("output");
     
      });
}
}"

please anyone can help with this?


Thanks,

Ronan

Hi,

replace

 console.log("output");

with

 console.log('output');

Regards,

Daniel

What is the type/value of Var1 from from OutSystems?

If it is a string, you may need to add your own set of quotations or parse the string using JSON.parse()

It appears the JavaScript you have mentioned may not be valid hence it is not running correct.

I can also suggest using your browsers dev tools console to see any issues related to the execution of the JavaScript

Tye Peck wrote:

What is the type/value of Var1 from from OutSystems?

If it is a string, you may need to add your own set of quotations or parse the string using JSON.parse()

It appears the JavaScript you have mentioned may not be valid hence it is not running correct.

I can also suggest using your browsers dev tools console to see any issues related to the execution of the JavaScript

Hi,

see my below code, without EncodeJavaScript() and I am getting expected output

SyntaxEditor Code Snippet

"var a=("+Var1+")

for(var key in a){
if (!a.hasOwnProperty(key)) continue;
var obj = a[key];
for (var prop in obj) {
  if (!obj.hasOwnProperty(prop)) continue;
  Object.keys(obj).forEach(function(values) {

        result=obj[values]
        console.log(key,result);
      
      });

}
}


"

when i use with EncodeJavaScript() ,code is not executing

SyntaxEditor Code Snippet

"var a=("+EncodeJavaScript(Var1)+")

for(var key in a){
if (!a.hasOwnProperty(key)) continue;
var obj = a[key];
for (var prop in obj) {
  if (!obj.hasOwnProperty(prop)) continue;
  Object.keys(obj).forEach(function(values) {

        result=obj[values]
        console.log(key,result);
      
      });

}
}


"


PS:

the data type of Var1 is TEXT and regarding errors, you can remove " " and run it


Thanks,

Ronan


Solution

Ronan T Try thiis

"var a=('"+EncodeJavaScript(Var1)+"')

for(var key in a){
if (!a.hasOwnProperty(key)) continue;
var obj = a[key];
for (var prop in obj) {
  if (!obj.hasOwnProperty(prop)) continue;
  Object.keys(obj).forEach(function(values) {

        result=obj[values]
        console.log(key,result);
      
      });

}
}
"

I have a sneaking suspicion you need to replace the first line with: 

var a=(JSON.parse('"+EncodeJavaScript(Var1)+"'))

(Assuming Var1 is a JSON string)

Solution

Tye Peck wrote:

Ronan T Try thiis

"var a=('"+EncodeJavaScript(Var1)+"')

for(var key in a){
if (!a.hasOwnProperty(key)) continue;
var obj = a[key];
for (var prop in obj) {
  if (!obj.hasOwnProperty(prop)) continue;
  Object.keys(obj).forEach(function(values) {

        result=obj[values]
        console.log(key,result);
      
      });

}
}
"

I have a sneaking suspicion you need to replace the first line with: 

var a=(JSON.parse('"+EncodeJavaScript(Var1)+"'))

(Assuming Var1 is a JSON string)

Hi Tye Peck,

Thank you so much , now it is working

Regards,

Ronan