|
|
| (2 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| − | PL/SQL is a powerful procedural language built on top of Oracle SQL syntax. Extensive library of business-related and data-processing functions it incorporates makes it an attractive environment for building business-critical applications operating fully within the Oracle database. Introduction of PL/SQL Web Toolkit enabled Oracle developers to generate HTML straight from the PL/SQL code and build web applications fully residing from within the Oracle database.
| + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | Just as any other web stack, PL/SQL web applications require careful input validation and other standard safeguards to prevent exploitable [[OWASP Top 10]] vulnerabilities. Oracle <code>htp</code> (hypertext procedures) and <code>htf</code> (hypertext functions) packages contain the primary functions for generating output in PL/SQL web applications as well as output escaping functions. See [https://docs.oracle.com/cd/B14099_19/web.1012/b15896/pshtp.htm Oracle: The htp and htf Packages]
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | ==Escaping==
| + | An [https://github.com/OWASP/CheatSheetSeries/issues/13 open discussion] is pending about to exclude or not this cheat sheet of the V2 of the project. |
| − | Applications running on newer Oracle versions where APEX packages are available should use <code>apex_escape</code> for contextual escaping of output data in a manner similar to [[ESAPI]] validators. See [https://docs.oracle.com/database/121/AEAPI/apex_escape.htm Oracle: apex_escape]
| |
| − | | |
| − | * APEX_ESCAPE.HTML
| |
| − | * APEX_ESCAPE.HTML_ATTRIBUTE
| |
| − | * APEX_ESCAPE.HTML_TRUNC
| |
| − | * APEX_ESCAPE.HTML_WHITELIST
| |
| − | * APEX_ESCAPE.JS_LITERAL
| |
| − | * APEX_ESCAPE.LDAP_DN
| |
| − | * APEX_ESCAPE.LDAP_SEARCH_FILTER
| |
| − | * APEX_ESCAPE.NOOP
| |
| − | | |
| − | Applications should use <code>htp.prints</code> to output text blocks rather than <code>htp.print</code> as the former escapes potentially dangerous characters (<code><>"'</code>). Note that the <code>htp.prints</code> cannot be used as a simple drop-in replacement for <code>htp.print</code> because it will also escape legitimate HTML but by <code>htp</code> usage model raw HTML shouldn't be generally entered in strings but rather generated with appropriate HTML functions (e.g. <code>htp.header(1, 'Hello');</code> will output <code><H1>Hello</H1></code>).
| |
| − | | |
| − | Sample usage in typical PL/SQL code:
| |
| − | | |
| − | htp.header(1, 'Details for user ' || apex_escape.html(username)); -- outputs <H1>...</H1>
| |
| − | htp.print('Username: '); -- just a string literal, no need to escape
| |
| − | htp.italic(apex_escape.html(username), 'class=' || apex_escape.html_attribute(userclass) );
| |
| − | htp.para();
| |
| − | htp.prints(address); -- escapes dangerous chars in address string
| |
| − | htp.script ('var username="' || apex_escape.js_literal(username) || '";');
| |
| − | | |
| − | On older Oracle platforms <code>htf.escape_sc</code> for output in HTML context can be used and the <code>utl_url.escape</code> function is available to escape URL characters (<code>&"<>%</code>). URL escaping functionality is also provided by legacy <code>htf.escape_url</code> function. These functions are generally less robust than their <code>apex_escape</code> equivalents and not context-aware.
| |
| − | | |
| − | ==Authors==
| |
| − | * Pawel Krawczyk
| |
| − | | |
| − | == Other Cheatsheets ==
| |
| − | | |
| − | {{Cheatsheet_Navigation_Body}}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
Latest revision as of 10:15, 16 February 2019
The Cheat Sheet Series project has been moved to GitHub!
An open discussion is pending about to exclude or not this cheat sheet of the V2 of the project.
