Senthil Murugan's Blog

Home » Apex » APEX 5 New Substitution Features

APEX 5 New Substitution Features

Thanks to Roels Blog

You’ve probably all heard about XSS, a.k.a. Cross Site Scripting. One of the ways you make yourself vulnerable to XSS is by creating JavaScript in your APEX applications that accepts unescaped user input – either direct or data retrieved from the database.

As a – very stupid and simple – example, create a Page with a Text Item (say P3_TEXT).  Next create a Dynamic Action that executes this snippet of Javascript on Page Load :

alert(“You entered &P3_TEXT.”)

When you now enter some text like “Hello world” and submit the page, the response is an alert box with “You entered Hello world“. But now enter something like:

the dark world”);“

This looks like half a piece of code – and in fact it is. It is completed by the (other) Javascript snippet that’s using this snippet as input. Now you get an alert saying “You entered the dark world” and an extra window is opened showing the Google search page. That’s quite harmless, but you can invoke any JavaScript – also loading additional data and scripts from other servers etc… So you have to protect your application for this kind of hack. And of course there are many ways to do so, like escaping the value in JavaScript. 

But in APEX 5 you’ve got a new and simple option: Use the Extended Substitution Syntax. So instead of &P3_TEXT. , you should use &P3_TEXT!JS. So including the ampersand the exclamation mark and the dot at the end… Now the input text is properly escaped – and harmless ;-). Just like a call to theapex_escape.js_literal function would do.

There are more variants on this “Extended Substitution Syntax” theme: 

&P3_TEXT!HTML. => escape all HTML, like the apex_escape.html function

&P3_TEXT!ATTR. => escape all HTML attribute values, like the apex_escape.html_attribute function

&P3_TEXT!RAW. => Don’t escape (so dangerous….) 

So in APEX 5 you’ve got even more possibilities to make your application secure – and less excuses 😉


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: