APEX attributes for Escaping Special Characters

Comments Off on APEX attributes for Escaping Special Characters
Posted in Database Applications Development,Misc by Scott Wesley @ Jan 3, 2017

A relatively common on the forums is regarding the escaping of special characters in reports, but it seems the developer isn’t always sure what is actually happening and how to how to search for it.

It seems I’ve had this on my “to blog” list since April 2015, but now that 5.1 has been released, it seems more people are coming out to leave 4.x can’t work out where the Standard Report option is.

APEX 4.x Display As attribute

This was required when HTML was present in the query, either to add tabular items manually using apex_item, or to style data (though you should use HTML Expression instead)

Example of special characters being escaped

For instance, if you’ve written a query like so

SELECT APEX_ITEM.CHECKBOX2(1, empno, 'CHECKED') chk, ename
FROM   emp
ORDER BY 1

And are only seeing the HTML code in your column output

<input type="checkbox" name="f01" value="7369" CHECKED />

Then you need to Escape Special Characters, now found in the Security section of the column properties as a Yes/No option.

APEX 5.0 Escape Special Characters attribute

This is defaulted to Yes to help protect from cross-site scripting (XSS), a common security concern in the web world where data entered by users is stored in the database, then when rendered it can be interpreted as HTML code.

Set to No to allow your data to be rendered as you may expect. 
Note that in the 5.0 component view this is still referenced as Display As – Standard Report Column.

The change in terminology is documented in the 5.0 release notes

Report column property naming differences

Please note that if setting this attribute to no, you should still make efforts to protect your applications by escaping data where possible. For example, if I wanted to replace all carriage returns with the HTML line break, you can still escape your data then add HTML content.

replace(apex_escape.html(card_title), chr(10), '<br>')

You could probably do a variation of this using apex_escape.html_whitelist

If you’re combining two fields, separated by the line break:

apex_escape.html(phone)||'<br>’||apex_escape.html(email)

then you might as well use HTML Expression and keep your data/UI layers separate.

HTML Expression attribute

Check out the open source project APEX-SERT to help find potential security concerns with your Oracle APEX applications.

See original