Tuesday, September 02, 2014

APEX 5 New Substitution Syntax Features


You've probably all heard about XSS, a.k.a. Cross Site Scripting. One of the ways you make yourself vulnerable to XSS is by creating JavaScript in your APEX applications that accepts unescaped user input - either direct or data retrieved from the database.
As a - very stupid and simple - example, create a Page with a Text Item (say P3_TEXT).  Next create a Dynamic Action that executes this snippet of Javascript on Page Load :

alert("You entered &P3_TEXT.")

When you now enter some text like "Hello world" and submit the page, the response is an alert box with "You entered Hello world". But now enter something like:

the dark world");window.open("http://www.google.com

This looks like half a piece of code - and in fact it is. It is completed by the (other) Javascript snippet that's using this snippet as input. Now you get an alert saying "You entered the dark world" and an extra window is opened showing the Google search page. That's quite harmless, but you can invoke any JavaScript - also loading additional data and scripts from other servers etc... So you have to protect your application for this kind of hack. And of course there are many ways to do so, like escaping the value in JavaScript. 

But in APEX 5 you've got a new and simple option: Use the Extended Substitution Syntax. So instead of &P3_TEXT. , you should use &P3_TEXT!JS. So including the ampersand the exclamation mark and the dot at the end... Now the input text is properly escaped - and harmless ;-). Just like a call to the apex_escape.js_literal function would do.

There are more variants on this "Extended Substitution Syntax" theme: 
&P3_TEXT!HTML. => escape all HTML, like the apex_escape.html function
&P3_TEXT!ATTR. => escape all HTML attribute values, like the apex_escape.html_attribute function
&P3_TEXT!RAW. => Don't escape (so dangerous....) 
 
So in APEX 5 you've got even more possibilities to make your application secure - and less excuses ;-)

 

Post a Comment