Databases Reference
In-Depth Information
Figure 8-22.
HTML and PL/SQL Region output
If a developer coded the PL/SQL region above, without any restrictions on the content of
P2 EMAIL
, a
user could inject Javascript into
P2 EMAIL
which would ultimately run on the page. When I first
considered this case, I wondered what harm this could cause. If I choose to inject Javascipt into
P2 EMAIL
, and the Javascript runs in my browser, I am my own victim. But if I can inject Javascript into
P2 EMAIL
and have it appear in another's browser, that is promising. As developers, we don't always
know what other applications might have access to edit data. My application may protect data on the
way in, but other applications that can update that data may not. Even if the data is never read from the
database, but only rendered from a user's session, there is the possibility of injecting data into another
user's session. Simply convincing the user to click on a link can inject data into their session and have
unexpected results. Consider the following APEX URL:
http://apex.oracle.com/pls/apex/f?p=4201995:2:1007199804302002::::P2 EMAIL:<script>alert(doc
ument.cookie);</script>
This URL will set the value of
P2 EMAIL
to
<script>alert(document.cookie);</script>
. The HTML
Region will escape the content. The PL/SQL Region, though, does not escape the content and appears
blank (see Figure 8-23). It will, however, run the Javascript and pop an alert, shown in Figure 8-24.
Figure 8-23.
A view of the HTML Region
