Skip to main content

APEX 5 New Substitution Syntax Features


You've probably all heard about XSS, a.k.a. Cross Site Scripting. One of the ways you make yourself vulnerable to XSS is by creating JavaScript in your APEX applications that accepts unescaped user input - either direct or data retrieved from the database.
As a - very stupid and simple - example, create a Page with a Text Item (say P3_TEXT).  Next create a Dynamic Action that executes this snippet of Javascript on Page Load :

alert("You entered &P3_TEXT.")

When you now enter some text like "Hello world" and submit the page, the response is an alert box with "You entered Hello world". But now enter something like:

the dark world");window.open("http://www.google.com

This looks like half a piece of code - and in fact it is. It is completed by the (other) Javascript snippet that's using this snippet as input. Now you get an alert saying "You entered the dark world" and an extra window is opened showing the Google search page. That's quite harmless, but you can invoke any JavaScript - also loading additional data and scripts from other servers etc... So you have to protect your application for this kind of hack. And of course there are many ways to do so, like escaping the value in JavaScript. 

But in APEX 5 you've got a new and simple option: Use the Extended Substitution Syntax. So instead of &P3_TEXT. , you should use &P3_TEXT!JS. So including the ampersand the exclamation mark and the dot at the end... Now the input text is properly escaped - and harmless ;-). Just like a call to the apex_escape.js_literal function would do.

There are more variants on this "Extended Substitution Syntax" theme: 
&P3_TEXT!HTML. => escape all HTML, like the apex_escape.html function
&P3_TEXT!ATTR. => escape all HTML attribute values, like the apex_escape.html_attribute function
&P3_TEXT!RAW. => Don't escape (so dangerous....) 
 
So in APEX 5 you've got even more possibilities to make your application secure - and less excuses ;-)

 

Post a Comment

Popular posts from this blog

Showing a success message after closing a modal dialog

APEX 5 comes with Modal Dialogs out of the box. Very neat. Especially for adding and changing data. And to minimise the number of time a user has to click, it could be useful to add a "Close Dialog" process after the actual data processing. When the data processing fails, the Dialog stays on top showing the error. When data processing runs fine, the Dialog is closed ... without any confirmation. And this might be scary for a shaky user.

So how can we provide the user some feedback? On Page 4 of the Sample Dialog Application you can see one solution: up on a Dialog Closed Event on the parent page it does a redirect to refresh the parent page appending the success message of the "Close Dialog" process. This has two drawbacks. First, it probably refreshes more than necessary. And second, if you're using multiple layers of dialogs (dialogs that open other dialogs) the message appears in the "parent dialog".
As an alternative you could follow these steps: 1…

It's happening again ... running for the ODTUG Board of Directors 😉

For the third time in a row I'll be running for ODTUG's Board of Directors. But after ending as a runner up twice, I am sure I'm going to make it this time! But not without your help!

My campaign statement this year is:
I have been attending and presenting at Kscope conferences since 2007. This not only resulted in a vast amount of knowledge, but also - and even more important - a huge number of friends from all over the globe.  I want to see ODTUG grow and spread this community feeling even more! 
My experience as an attendee, presenter and content lead has provided the basic foundation to be a director. Next to that, my personality and (global) network will be beneficial to the whole board and organization. 
Since March I have served on the Board of Directors in a limited term for a Director who stepped down due to a career change. This has allowed me to have unique insight of all the things that are going on in and around the ODTUG organization. As the train was already ro…

APEX 5 New Static File Features

In APEX 4 you could upload files - like CSS files, JavaScript files, Images and whatever else you like - into the APEX Repository. When you navigate to Shared Components, there is a Files section that offers three different options:
CSS Files are always uploaded (and changed !) for the whole Workspace. For Images and Static Files (usually JavaScript) you could choose whether they should be available for the whole Workspace or for a specific Application only. And if you had a lot of files - e.g. a lot of images - then you had to go through the upload process one-by-one. But that's usually a one time only thing. If you make changes to the CSS and JavaScript files - and that's a continuous process in development - then you had to delete the existing file and upload the new one. Over and over again. And meanwhile fighting the cache of the webserver and your browser.  And another irritating issue: You couldn't use relative references in your CSS or JavaScript files as they just…