|
|
| (8 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| − | PL/SQL is a powerful procedural language built on top of Oracle SQL syntax. Extensive library of business-related and data-processing functions it incorporates makes it an attractive environment for building business-critical applications operating fully within the Oracle database. Introduction of PL/SQL Web Toolkit enabled Oracle developers to generate HTML straight from the PL/SQL code and build web applications fully residing from within the Oracle database.
| + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | Just as any other web stack, PL/SQL web applications require careful input validation and other standard safeguards to prevent exploitable [[OWASP Top 10]] vulnerabilities. Oracle `htp` (hypertext procedures) and `htf` (hypertext functions) packages contain the primary functions for generating output in PL/SQL web applications as well as output escaping functions. [https://docs.oracle.com/cd/B14099_19/web.1012/b15896/pshtp.htm Oracle: The htp and htf Packages]
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | ==Escaping==
| + | An [https://github.com/OWASP/CheatSheetSeries/issues/13 open discussion] is pending about to exclude or not this cheat sheet of the V2 of the project. |
| − | Applications running on newer Oracle versions where APEX packages are available should use `apex_escape` for contextual escaping of output data in a manner similar to [[ESAPI]] validators. [https://docs.oracle.com/database/121/AEAPI/apex_escape.htm Oracle: apex_escape]
| |
| − | | |
| − | * APEX_ESCAPE.HTML
| |
| − | * APEX_ESCAPE.HTML_ATTRIBUTE
| |
| − | * APEX_ESCAPE.HTML_TRUNC
| |
| − | * APEX_ESCAPE.HTML_WHITELIST
| |
| − | * APEX_ESCAPE.JS_LITERAL
| |
| − | * APEX_ESCAPE.LDAP_DN
| |
| − | * APEX_ESCAPE.LDAP_SEARCH_FILTER
| |
| − | * APEX_ESCAPE.NOOP
| |
| − | | |
| − | Applications running on older versions of Oracle may use '''htp.prints''' to output text blocks rather than '''htp.print''' as the former escapes potentially dangerous characters (`<>"'`).
| |
| − | | |
| − | For escaping individual data fields `htf.escape_sc` for output in HTML context should be used. The `utl_url.escape` function is available to escape URL characters (`&"<>%`). URL escaping functionality is also provided by legacy `htf.escape_url` function but it's less robust.
| |
| − | | |
| − | ==Authors==
| |
| − | * Pawel Krawczyk
| |
| − | | |
| − | == Other Cheatsheets ==
| |
| − | | |
| − | {{Cheatsheet_Navigation_Body}}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
Latest revision as of 10:15, 16 February 2019
The Cheat Sheet Series project has been moved to GitHub!
An open discussion is pending about to exclude or not this cheat sheet of the V2 of the project.
