Encoding & as & in user input oracle apex
I am making form with user input form as you can see the image.
Because of XSS, I am using Apex's own security option:
Restricted characters : Blocklist &<>"/;,*|=% and --
Is there any way that when I type "&" this automatically convert into &? or can I create my custom restricted characters or mapping? I have looked into apex_escape function, but didn't find a suitable use.
You state "Because of XSS i am using Apex own security option". Why is that ? What are you trying to avoid by doing this ? Changing the data while a user is typing it is going to be frustrating for the user. My advice would be to not modify the input but instead secure how the data is displayed. APEX gives a lot of options to do that.
If the data is used in a report the output can be html escaped using Security > Escape special characters attribute.
If the data is displayed in a page using the &P1_ITEM. notation then the output can be sanitized using the relevant output escaping depending on where it is used .
If you decide to go the other route and you do want to sanitize the input then it's a question of how the data will be used later on in the application. You could create an after submit computation on the page item using any of the available methods in the APEX_ESCAPE api depending on what the expected use of the data is.
Another option is, as you suggest, to create a custom block list. The implementation of the restricted characters functionality is a client side validation. That can be achieved with a dynamic action and some javascript code (up to you to write that). It can also be done server side with a normal validation like the one below.
- Type: Function body returning Boolean
- Function body:
DECLARE
l_blacklist_chars apex_t_varchar2;
BEGIN
apex_string.push(l_blacklist_chars,'&');
apex_string.push(l_blacklist_chars,'<');
apex_string.push(l_blacklist_chars,'>');
FOR i IN 1 .. l_blacklist_chars.COUNT LOOP
IF INSTR(:P312_CUSTOM_BLOCKLIST,l_blacklist_chars(i)) > 0 THEN
RETURN false;
END IF;
END LOOP;
END;
- Error message: The field contains forbidden characters
- Found the weekly salary from database
- Encoding & as &amp in user input oracle apex
- Problem with setting focus after displaying a modal
- why Interactive grid not saving the data calculated byJavaScript code?
- Oracle APEX send JSON encoding arabic issue
- Oracle APEX Interactive Grid Row Revert using Javascript
- Calling a Page Process when button pressed without Submit Action
- Setting date value in an Interactive grid based on a page item
- Oracle Apex 4.2 interactive report with lookup tables
- Make my oracle apex application point to website home page url
- Saving Checkbox data in a DB column
- Select all checkbox of interactive grid only selects the rows that have already been rendered?
- Oracle Apex Cards Region Pagination
- How to fetch new value of switch column (in dynamic action) in Interactive Grid?
- Convert Apex application from 19.2 to 19.1
- How to install Oracle Apex Listener?
- How to comment out in Oracle APEX
- Oracle APEX Interactive Grid Cell Template
- Interactive grid - populate a field on insert automatically
- Oracle APEX Hide/Show No Data Found Message
- Oracle Apex IG throws error when adding multiple values in one cell
- Oracle Database REST APIs (ORDS) - url endpoints verbs does not work
- Main methdology steps to configure multi-languages application
- Change label of Interactive Grid button without creating whole new button
- Conditional Reset Button with Confirmation
- Oracle APEX: Interactive Grid Custom buttons disabled/enabled
- Weird behavior while creating gantt chart in oracle apex 22.2
- Fetching Data from Database on Form Rendering Oracle APEX 24
- Group by A, B and order by A
- Changing the tree node text color conditionally