Just wanted to share a weird behavior involving the BuildSafe_InClauseIntegerList action. 

When I was playing around with the BuildSafe_InClauseIntegerList action, I was able to bypass the "SQL injection vulnerability warning". I did this by naming a variable as "BuildSafe_InClauseIntegerList" and used that as an "expand inline" Advanced SQL input parameter. By doing so, the SQL injection warning disappeared even though the variable I passed was not sanitized at all. As per my testing, this is also happening if the variable is named as "BuildSafe_InClauseTextList". 

Honestly, I don't think someone will explicitly name their variables this way just to bypass a warning that is actually there for their app's benefit. I just want to raise this for awareness.

Screenshots for reference:

Smart people dumb software. Good if it's taken care of . Somehow it's just taking your variables as an output from the sanitization APIs functions. https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/Sanitization_API#BuildSafe_InClauseIntegerList 


Cheers

Would encourage you to register an Idea to fix this. Should be taken up by OS soon . 



No I don't think this should not be reported as idea. Instead the feedback button in service Studio should be used.