Tuesday, September 02, 2014

APEX 5 New Substitution Syntax Features


You've probably all heard about XSS, a.k.a. Cross Site Scripting. One of the ways you make yourself vulnerable to XSS is by creating JavaScript in your APEX applications that accepts unescaped user input - either direct or data retrieved from the database.
As a - very stupid and simple - example, create a Page with a Text Item (say P3_TEXT).  Next create a Dynamic Action that executes this snippet of Javascript on Page Load :

alert("You entered &P3_TEXT.")

When you now enter some text like "Hello world" and submit the page, the response is an alert box with "You entered Hello world". But now enter something like:

the dark world");window.open("http://www.google.com

This looks like half a piece of code - and in fact it is. It is completed by the (other) Javascript snippet that's using this snippet as input. Now you get an alert saying "You entered the dark world" and an extra window is opened showing the Google search page. That's quite harmless, but you can invoke any JavaScript - also loading additional data and scripts from other servers etc... So you have to protect your application for this kind of hack. And of course there are many ways to do so, like escaping the value in JavaScript. 

But in APEX 5 you've got a new and simple option: Use the Extended Substitution Syntax. So instead of &P3_TEXT. , you should use &P3_TEXT!JS. So including the ampersand the exclamation mark and the dot at the end... Now the input text is properly escaped - and harmless ;-). Just like a call to the apex_escape.js_literal function would do.

There are more variants on this "Extended Substitution Syntax" theme: 
&P3_TEXT!HTML. => escape all HTML, like the apex_escape.html function
&P3_TEXT!ATTR. => escape all HTML attribute values, like the apex_escape.html_attribute function
&P3_TEXT!RAW. => Don't escape (so dangerous....) 
 
So in APEX 5 you've got even more possibilities to make your application secure - and less excuses ;-)

 

Monday, September 01, 2014

APEX 5 New Runtime API Lockdown Features

In APEX 4.x the developer could implement a feature that involves a call to the APEX API. E.g. you could create new pages on the fly if you would like to (just examine an export file for the how-to). You could drop an application using a procedure from the APEX_INSTANCE_ADMIN package. You could drop a user using APEX_UTIL.REMOVE_USER. If this is all on purpose and secured than that's fine. But maybe you created some opportunities for SQL Injection ... and someone else could use that technique to call those very same procedures. So the bad guy (or girl) could drop your application - or maybe even worse : could create a user and give himself full access to everything!
Of course you should prevent that from happening by fixing the SQL Injection holes. But next to that: You can prevent that your application uses those API's at all! And in APEX 5 that's even the default setting. So you're safe by default ;-)

But assume you really need access to those API's, there is an Application Level Security setting you can set.
So you can switch on access to API's that make changes to Applications or the Workspace. The only thing is - you have to figure out yourself what setting you should enable...
So what happens if your application has the option of creating a user on the fly - and thus calling APEX_UTIL.CREATE_USER - and you didn't switch the "Modify Workspace Repository" ?
Then you (or your user) gets this "nice" error page:
This sounds rather cryptic - and it is - but actually there is an entry in the Debug Messages with that ID. Even when you're not running in debug mode!
And this entry is:
But of course it is better to catch these errors (and all other ones as well) via an Error Handling Function. That way you can get an email when something like this happens and fix it - or be warned that some bad things are happening ....

But it's a nice additional security feature!


Friday, August 29, 2014

APEX 5 New Password Reset Features

Now and then it happens when we're logging in into our APEX instance: We have to change our password again .... And that means, typing it in an awful number of times:
1. Current Password
2. New Password (and of course preferably the same as the current one ...)
3. Confirm New Password
4. Press Apply Changes
5. Press Retun
6. And we're back at Square One : The login screen - and here we type that password again...
But in APEX 5 the APEX Development Team made it easier for us: When you have to change your password, you're automagically logged in with that brand new password. Finally. Sigh ....

It's a very small thing - but it takes away just that little bit of irritation every few months or so ;-)

Thursday, August 28, 2014

APEX 5 New Developer Preferences Features

As a lot of the new APEX 5 features are "by developers for developers", this one is also a nifty little thing that make our lives easier. Only the developer part of our lives of course....
In the upper right corner of APEX 5 you'll see your login name and a rather anonymous avatar. Just for fun - and recognisability - you can add your own face there. Or a picture of your dog of you like that one better. Just click "Edit Profile" to upload a picture. O yeah - you can change your username and password as well in that pop up.
Way more functional is what's below the "Preferences" button. You can specify here how you want APEX to act when you press a "Run Application" button. You can define whether the Application should start in a new tab or in a new window. What's pretty cool is that when you keep that tab or window open and press the Run button again, focus will switch to that tab/window and your page will be reloaded there. So you don't get multiple tabs/windows, but just one. And the way back using the Developer Toolbar is also supported!
And if you're working on multiple applications at the same time, you'll love the last preference: You can even share that tab/window over multiple applications...
One small pitfall : the changes you make to the Prefences / Photo etc will be functional after a page refresh - but that's probably a bug that will be fixed ;-)

My OOW14 Performances

Oracle Open World 2014 starts in just over 4 weeks from now. And I am one of the (50,000?) lucky people who will be there ....
I will even take part in three sessions, one straight at the start and one almost at the end:

What Are They Thinking? With Oracle Application Express and Oracle Data Miner [UGF2861]
Sunday, Sep 28, 9:00 AM - 9:45 AM - Moscone South - 304

Panel Discussion: Bring Your Questions About Integration (or Anything Else) [UGF9093]
Sunday, Sep 28, 3:30 PM - 4:15 PM - Moscone South - 300

The Best of Both Worlds: Going Hybrid with Your Mobile Oracle Application Express Applications [CON2296]
Thursday, Oct 2, 10:45 AM - 11:30 AM - Moscone South - 303

Hope to see you there!

Wednesday, August 27, 2014

APEX 5 New Column Link Features

In the current version of Oracle Application Express you could use up to three items in a Column Link.
Most of the times that is enough. But there were always some use cases where you needed four or even five. And of course, just like with all limitations, you can figure out a work around. But wouldn't it be just awesome if APEX offers us more items out of the box.

And in APEX 5 they do! The number of items you can use in a Column Link isn't restricted anymore. So you don't get four. Or five. Or even six. You get "unlimited" (between " because there's probably some 32k sizing limit somewhere.. but you'll get the point).

But wait ... there's more!
The "Target Type" isn't limited to "URL" or "Page in this Application". You can now - declaratively ! - link to Pages in other Applications as well as you can see below.
So one more reason to add to the already long lists of reasons to upgrade to APEX 5 as soon as we can ... maybe general availability will be announced at OOW ?? 

Tuesday, August 26, 2014

APEX 5 New Supporting Objects Features

In the current version of APEX the Supporting Objects feature is undervalued. You can create (sort of) self installing applications with it, but it is not widely used. Why? Because people don't realy know the feature or people do and experience lack of functionality. In both cases : Check out the functionality of APEX 5!
When you have scripts for creating tables, packages etc., in the current version you have to manually keep those install scripts in sync with "reality". You have to do it manually - so it'll go wrong sooner or later. But in APEX 5 you can sync your scripts with the click of a button. Well, in fact two clicks: one for the check box and one for the button. See the animation below.
So when you click "Refresh Checked" your script will be recreated, reflecting the current situation of your database.
Well how does that work? If you click on the pencil icon and then navigate to the "Script Editor' tab, you'll see that the script is associated with objects. You can add objects here or remove the association - your script will be recreated automagically. Please notice you can't add your own code in these scripts because it'll be overwritten.
And to make it even easier for you - and eliminating the need to run APEX in Developer Mode in the target environment - you can now enable "auto install" of Supporting Objects. Thus Supporting Objects will be installed even from withing SQL*Plus or SQLDeveloper!
When you export an application you can set the corresponding preference like below.
One nice enhancement request maybe: I would like to have a "Refresh Checked" option on export as well! So I can refresh all my source code upon export ....

 So these are a few more reasons to use Supporting Objects in your next APEX5-project!

Friday, August 22, 2014

APEX 5 New Calendar Features

While playing around in the APEX 5 EA2 environment I discovered a few neat little features for Calendar regions.

First of all you can export the data of the calendar - only the data that's currently visible - to four types of format. Especially the iCal format is new and interesting as this is readable by most calendar applications. Right now, in EA2, the PDF option doesn't seem to work yet. And alas, the iCal format is not readable by the Apple Calendar - but I hope that'll be fixed when the product becomes available! It is promising nevertheless....

Another cool feature is the Google URL. You can enter a URL of a public Gcalendar (or your private calendar if you want to) and your appointments will show up in your APEX application (see the green entries in the screenshot below)!

And last but not least : You can add your own (or someone else's) RESTful webservice feed to the calendar as well. By defining your own Resource Handler using a query to return a JSON string, you can add even more data sources to your calendar. The purple entry below is created by the SQL statement:

select 'Presentation APEX5 Hidden Features' as "title"
,      sysdate - 0.5/24 as "start"
,      sysdate + 0.5/24 as "end"
from dual


The JSON format is fixed, so we have to embed the columns in quotes to get a proper SQL statement (otherwise we are using reserved words and return uppercase attribute names).