Hello Community! :)

In a continuous effort to provide our customers with proper and up-to-date information, and to help developers to create secure applications, we have updated the following security-related documentation in OutSystems:

Your feedback is very important for OutSystems! Always send your feedback about the articles you read, to help us provide the best content! You can e-mail us at knowledge@outsystems.com too!

Thanks and best regards,


Thank you Gonçalo for your sharing

Nice list and good to read up. I though however always wondered why for example the following code-injection example isn't handled by the platform by default (and can be disabled with a setting on the input widget just like on the expression widget).

Escape HTML content provided by the end-userUse the SanitizeHtml() function from the Sanitization API to ensure that the value entered by the end-user does not contain any malicious content.

Nice Gonçalo. Thanks for sharing.

Hi Vicent,

That SanitizeHTML recommendation only applies to the expression widget. The example shows an input as source of the html, but requires an unescaped expression somewhere on the page for it to be a problem.

Technically you can sanitize it before storing as well, but it's recommend to sanitize it directly on the expression (Service Studio will display warnings otherwise, to remind you).

The default is to escape all the expressions, being safe by default. In the case developers turns the "Escape Content" property to "No" it means that they want to do advanced customization of the page.  And there are two use cases:

End-User content: The SanitizeHTML removes a lot of code that is necessary for these, it is meant to use when the HTML comes from an unsafe location, like the mentioned "content provided by the end-user". 

Development time content: SanitizeHTML is not meant to be used when there is no potential end-user manipulation. For example when you need to write <script> inline code, HTML elements with event triggers or javascript.

Hi João,

I read the article more like something that needs to be done at input, not at output. That is also the way I implemented it when there could be a security implication.

Thanks for the clarification.