Skip to main content

APEX 5 New Substitution Syntax Features


You've probably all heard about XSS, a.k.a. Cross Site Scripting. One of the ways you make yourself vulnerable to XSS is by creating JavaScript in your APEX applications that accepts unescaped user input - either direct or data retrieved from the database.
As a - very stupid and simple - example, create a Page with a Text Item (say P3_TEXT).  Next create a Dynamic Action that executes this snippet of Javascript on Page Load :

alert("You entered &P3_TEXT.")

When you now enter some text like "Hello world" and submit the page, the response is an alert box with "You entered Hello world". But now enter something like:

the dark world");window.open("http://www.google.com

This looks like half a piece of code - and in fact it is. It is completed by the (other) Javascript snippet that's using this snippet as input. Now you get an alert saying "You entered the dark world" and an extra window is opened showing the Google search page. That's quite harmless, but you can invoke any JavaScript - also loading additional data and scripts from other servers etc... So you have to protect your application for this kind of hack. And of course there are many ways to do so, like escaping the value in JavaScript. 

But in APEX 5 you've got a new and simple option: Use the Extended Substitution Syntax. So instead of &P3_TEXT. , you should use &P3_TEXT!JS. So including the ampersand the exclamation mark and the dot at the end... Now the input text is properly escaped - and harmless ;-). Just like a call to the apex_escape.js_literal function would do.

There are more variants on this "Extended Substitution Syntax" theme: 
&P3_TEXT!HTML. => escape all HTML, like the apex_escape.html function
&P3_TEXT!ATTR. => escape all HTML attribute values, like the apex_escape.html_attribute function
&P3_TEXT!RAW. => Don't escape (so dangerous....) 
 
So in APEX 5 you've got even more possibilities to make your application secure - and less excuses ;-)

 

Comments

Popular posts from this blog

apex_application.g_f0x array processing in Oracle 12

If you created your own "updatable reports" or your custom version of tabular forms in Oracle Application Express, you'll end up with a query that looks similar to this one:
then you disable the "Escape special characters" property and the result is an updatable multirecord form.
That was easy, right? But now we need to process the changes in the Ename column when the form is submitted, but only if the checkbox is checked. All the columns are submitted as separated arrays, named apex_application.g_f0x - where the "x" is the value of the "p_idx" parameter you specified in the apex_item calls. So we have apex_application.g_f01, g_f02 and g_f03. But then you discover APEX has the oddity that the "checkbox" array only contains values for the checked rows. Thus if you just check "Jones", the length of g_f02 is 1 and it contains only the empno of Jones - while the other two arrays will contain all (14) rows. So for processing y…

Adding items to your Interactive Grid Toolbar

The APEX Interactive Grid uses the Toolbar widget to create the default Toolbar showing the Search box, Actions menu, Save button etc. And since quite a while there is a nice Plugin "Extend IG Toolbar" by Marko Goricki that makes it very easy to add additional buttons to the Toolbar.

But what if you need more than a button? 
Inspecting the contents of widget.toolbar.js, you can easily spot there can be added more to the Toolbar than just a button: The type of control, available values:
"STATIC", "TEXT", "SELECT", "BUTTON", "MENU", "RADIO_GROUP", "TOGGLE".
The first example will show a way to easily switch from one filter to another. Of course we could use the standard functionality and create two different Report views, but using a Radio Group on the Toolbar gives a more "Tab" like user experience.

So how can we create a Radio Group that looks like a switch in the Toolbar?
In the Javascript Code …

Refresh selected row(s) in an Interactive Grid

In my previous post I blogged about pushing changed rows from the dabatase into an Interactive Grid. The use case I'll cover right here is probably more common - and therefore more useful!

Until we had the IG, we showed the data in a report (Interactive or Classic). Changes to the data where made by popping up a form page, making changes, saving and refreshing the report upon closing the dialog. Or by clicking an icon / button / link in your report that makes some changes to the data (like changing a status) and ... refresh the report.  That all works fine, but the downsides are: The whole dataset is returned from the server to the client - again and again. And if your pagination size is large, that does lead to more and more network traffic, more interpretation by the browser and more waiting time for the end user.The "current record" might be out of focus after the refresh, especially by larger pagination sizes, as the first rows will be shown. Or (even worse) while you…