I thought I'd add a simple demonstration, for reference.
Consider the following query, with variations of escaped column output.
with data as (select q'[G'day,]'||chr(10) ||'Scott<strong>loves</strong>' ||'<br>APEX<script></script>' as string from dual) select -- UI default string dflt -- where no tags expected ,apex_escape.html(string) protected -- good for most things ,apex_escape.html_whitelist(string) whitelisted -- replace line feeds with HTML line break. Could use chr(13) ,replace(apex_escape.html_whitelist(string),chr(10),'<br>') protected_custom -- UI naughty ,string naughty from dataThe major difference being unescaped output looks like
"G'day,
Scott <strong>loves</strong><br>APEX<script></script>"
While escaped output looks like
"G'day,
Scott <strong>loves</strong><br>APEX<script></script>"
It determines how the browser will interpret these tags and display them to the end user.
Note that the first field called "DFLT" is using the default setting, therefore escaping special characters.
All other four columns do no explicitly escape these characters, deferring protection to the SQL.
Colum Attributes across four columns |
The output looks like the following. The first line may look similar to any time you attempt to use APEX_ITEM in a classic report without turning this flag off.
Sample output, using template: Value Attribute Pairs - Column |
So depending on what you're trying to display, you might need a particular combination of code / settings.
- Default - default APEX behaviour, no column settings adjusted.
- Protected - uses apex_escape package to do the same job as declarative attribute
- Whitelisted - Certain markup tags are allowed, but all others are still escaped
- Protected custom - often I want to replace line feeds/carriage returns in data with HTML line breaks. This combination facilitates the best of both worlds
- Naughty - avoid unticking Escape Special Characters attribute without protecting data within SQL. This is enabled Cross Site Scripting (XSS)
The naughtiness can be demonstrated by adding
alert("Hello universe")
between the <script>
tags. The unescaped column will mean the browser will render an alert when the page renders.This is bad because instead of an alert, it could be some malicious JavaScript.
Further security tips can be found at Recx.
APEX-SERT is also 5.0 ready.
No comments:
Post a Comment