In the presentation I point out the need to escape the input that you get from a user of the plugin in order to protect the plugin from unwanted use, like SQL Injection, Cross Site Scripting and the like.
In the example plugin that is created in the presentation, I use HTP.ESCAPE_SC to escape the special characters (hence the name _SC). There is a newer and better method to escape the special characters.
By default the extended level of escaping is enabled, but this can be overridden (for whatever reason).
To illustrate both the extended and the basic level of escaping, the examples below set the level explicitly.
SQL> begin
2 apex_escape.set_html_escaping_mode (p_mode => 'E');
3 end;
4 /
PL/SQL procedure successfully completed.
SQL> select sys.htf.escape_sc ('hello &"<>''/') htf
2 , apex_escape.html ('hello &"<>''/') escape
3 from dual
4 /
HTF ESCAPE
------------------------------ ----------------------------------------
hello &"<>'/ hello &"<>'/
With the extended level of escaping, the forward slash and the single quote are escaped as well.When you set the escaping level to Basic (example below), you will get the same results as if you were using HTF.ESCAPE_SC.
SQL> begin
2 apex_escape.set_html_escaping_mode (p_mode => 'B');
3 end;
4 /
PL/SQL procedure successfully completed.
SQL> select sys.htf.escape_sc ('hello &"<>''/') htf
2 , apex_escape.html ('hello &"<>''/') escape
3 from dual
4 ;
HTF ESCAPE
------------------------------ ----------------------------------------
hello &"<>'/ hello &"<>'/
No comments:
Post a Comment