Skip to main content

APEX 5 New Substitution Syntax Features

You've probably all heard about XSS, a.k.a. Cross Site Scripting. One of the ways you make yourself vulnerable to XSS is by creating JavaScript in your APEX applications that accepts unescaped user input - either direct or data retrieved from the database.
As a - very stupid and simple - example, create a Page with a Text Item (say P3_TEXT).  Next create a Dynamic Action that executes this snippet of Javascript on Page Load :

alert("You entered &P3_TEXT.")

When you now enter some text like "Hello world" and submit the page, the response is an alert box with "You entered Hello world". But now enter something like:

the dark world");"

This looks like half a piece of code - and in fact it is. It is completed by the (other) Javascript snippet that's using this snippet as input. Now you get an alert saying "You entered the dark world" and an extra window is opened showing the Google search page. That's quite harmless, but you can invoke any JavaScript - also loading additional data and scripts from other servers etc... So you have to protect your application for this kind of hack. And of course there are many ways to do so, like escaping the value in JavaScript. 

But in APEX 5 you've got a new and simple option: Use the Extended Substitution Syntax. So instead of &P3_TEXT. , you should use &P3_TEXT!JS. So including the ampersand the exclamation mark and the dot at the end... Now the input text is properly escaped - and harmless ;-). Just like a call to the apex_escape.js_literal function would do.

There are more variants on this "Extended Substitution Syntax" theme: 
&P3_TEXT!HTML. => escape all HTML, like the apex_escape.html function
&P3_TEXT!ATTR. => escape all HTML attribute values, like the apex_escape.html_attribute function
&P3_TEXT!RAW. => Don't escape (so dangerous....) 
So in APEX 5 you've got even more possibilities to make your application secure - and less excuses ;-)


Post a Comment

Popular posts from this blog

Push changed rows to an Interactive Grid

For pushing changes from the database to the end user, the regular solution is using websockets. A change in a record is detected - using a trigger or using the CQN (Change Query Notification) feature - and a notification is send to a websocket server. That websocket server broadcasts the notification over a channel to all browsers that are tuned in to that websocket channel. Then the browser reacts to that notification, usually showing an alert or refreshing a report. This trick is described on multiple sites, just Google for "oracle apex websockets" or similar.

So back in the old days, we used that notification in the browser to refresh the (interactive) report. But along comes the Interactive Grid (IG). While he full-refresh mechanism still works for IG, an IG has also the option to refresh just one row.  So wouldn't it be awesome that just the changed row(s) get refreshed upon a change in the database, instead of the whole report? Can we do it ... yes we can!
First i…

A review of APEX World 2017 - Day 1

Last week the SS Rotterdam was the beautiful location of the largest gathering of APEX Developers worldwide. With around 380 (!) attendees a new high was set. And they came from all over the world : I spotted people from The Netherlands, Belgium, Switzerland, Austria, Croatia, Germany, Denmark, Norway, UK, Ireland and the USA. And I even might have missed one or two ….

The event started with a presentation by the “father of APEX”, Mike Hichwa, talking about "Oracle APEX Past, Present and Future”. Of course everyone is curious what the APEX future might bring: Friendly URL’s, automated testing, more JSON, concurrent APEX versions, third party Oauth 2 authentication (think Facebook, Google), APEX app diff and more, a lot more, REST capabilities. And now we have to wait for APEX 5.2 … and that might take a while! 
After this keynote, the conference split up in three tracks. After the coffee break I returned to to big theatre where Geertjan Wielenga talked about "Finally Javas…

Dockerize your APEX development environment

Nowadays Docker is everywhere. It is one of the main components of Continuous Integration / Continuous Development environments. That alone indicates Docker has to be seen more as a Software Delivery Platform than as a replacement of a virtual machine.

However ...

If you are running an Oracle database using Docker on your local machine to develop some APEX application, you will probably not move that container is a whole to test and production environments. Because in that case you would not only deliver a new APEX application to the production environment - which is a good thing - but also overwrite the data in production with the data from your development environment. And that won't make your users very excited.
So in this set up you will be using Docker as a replacement of a Virtual Machine and not as a Delivery Platform.
And that's exactly the way Martin is using it as he described in this recent blog post. It is an ideal way to get up and running with an Oracle database …