Edit D:\app\Administrator\product\11.2.0\dbhome_1\apex\images\doc\sec_cross_site.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta http-equiv="Content-Script-Type" content="text/javascript" /> <title>Understanding Cross-Site Scripting Protection</title> <meta name="generator" content="Oracle DARB XHTML Converter (Mode = ohj/ohw) - Version 5.1" /> <meta name="date" content="2009-04-14T16:11:31Z" /> <meta name="robots" content="noarchive" /> <meta name="doctitle" content="Understanding Cross-Site Scripting Protection" /> <meta name="relnum" content="Release 3.2" /> <meta name="partnum" content="E11947-01" /> <link rel="copyright" href="dcommon/html/cpyr.htm" title="Copyright" type="text/html" /> <link rel="stylesheet" href="dcommon/css/blafdoc.css" title="Oracle BLAFDoc" type="text/css" /> <link rel="contents" href="toc.htm" title="Contents" type="text/html" /> <link rel="up" href="preface.htm" title="Home" type="text/html" /> <link rel="up" href="sec.htm" title="Managing Application Security" type="text/html" /> <link rel="up" href="sec_dev.htm" title="Understanding Developer Sec..." type="text/html" /> <link rel="up" href="sec_cross_site.htm" title="Understanding Cross-Site Sc..." type="text/html" /> <link rel="prev" href="sec_zero_sessionid.htm" title="Previous" type="text/html" /> <link rel="next" href="sec_session_encrypt.htm" title="Next" type="text/html" /> </head> <body> <p id="BREADCRUMBING"><a href="preface.htm" title="Home">Home</a> > <a href="sec.htm" title="Managing Application Security">Managing Application Security</a> > <a href="sec_dev.htm" title="Understanding Developer Sec...">Understanding Developer Sec...</a> > Understanding Cross-Site Sc...</p> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <col width="86%" /> <col width="*" /> <tr valign="bottom"> <td align="left"></td> <td align="center"><a href="sec_zero_sessionid.htm"><img src="dcommon/gifs/leftnav.gif" alt="Previous" /><br /> <span class="icon">Previous</span></a> </td> <td align="center"><a href="sec_session_encrypt.htm"><img src="dcommon/gifs/rightnav.gif" alt="Next" /><br /> <span class="icon">Next</span></a></td> </tr> </table> <p><a id="CDDBBECI" name="CDDBBECI"></a></p> <div class="sect2"> <h1><a name="HTMDB12001|cross site-scripting (XSS)"></a>Understanding Cross-Site Scripting <a id="sthref1949" name="sthref1949"></a><a id="sthref1950" name="sthref1950"></a>Protection</h1> <p>Cross site-scripting (also referred to as XSS) is a security breach that takes advantage of dynamically generated Web pages. In a XSS attack, a Web application is sent a script that activates when it is read by a user's browser. Once activated, these scripts can steal data, even session credentials, and return the information to the attacker.</p> <p>If malicious code were introduced into an Oracle Application Express application, it could be rendered into HTML regions and other places within the application during normal page rendering. To prevent the introduction of malicious code into session state, the Application Express engine escapes characters in certain cases.</p> <a id="sthref1951" name="sthref1951"></a> <p class="subhead2">Topics:</p> <ul> <li> <p><a href="#BCGBHHJJ">Protecting HTML Regions and Other Static Areas</a></p> </li> <li> <p><a href="#BCGIEDIH">Protecting Dynamic Output</a></p> </li> <li> <p><a href="#BCGIIFHI">Protecting Report Regions</a></p> </li> <li> <p><a href="#BCGGAJIF">Protecting Form Items</a></p> </li> </ul> <a id="BCGBHHJJ" name="BCGBHHJJ"></a> <div class="sect3"> <h2><a name="HTMDB25744" id="HTMDB25744"></a>Protecting HTML Regions <a id="sthref1952" name="sthref1952"></a><a id="sthref1953" name="sthref1953"></a>and Other Static Areas</h2> <p>In HTML regions and other static display areas, you can reference session state using the <code>&ITEM.</code> notation. Examples of static display areas include HTML regions, page headers and footers, region headers and footers, region titles, button labels, help text, form item labels and post-element text, templates, radiogroup (before and after field text), event success messages, event error messages, navigation bar attributes, application static substitution string values, chart labels and legends, breadcrumbs and list framing text, and calendar text, labels, or legends.</p> <a id="CHDGEEFC" name="CHDGEEFC"></a> <div class="sect4"> <h3><a name="HTMDB25745" id="HTMDB25745"></a>About Safe Item Display Types</h3> <p>When session state is referenced in this way, the value emitted to the page will not have special characters (<code><</code>, <code>></code>, <code>&</code>, <code>"</code>) escaped if the referenced item is one of the following safe item display types:</p> <ul> <li> <p>Display as Text (does not save state)</p> </li> <li> <p>Display as Text (escape special characters, does not save state)</p> </li> <li> <p>Display as Text (based on LOV, does not save state)</p> </li> <li> <p>Display as Text (based on PL/SQL, does not save state)</p> </li> <li> <p>Text Field (Disabled, does not save state)</p> </li> <li> <p>Stop and Start HTML Table (Displays label only)</p> </li> </ul> <p>If the referenced item has a display type other than one of the above types, the value emitted to the page will have special characters escaped. Although application-level items are also considered to have a safe display type, they do not actually have display properties like form items do.</p> <div align="center"> <div class="inftblnotealso"><br /> <table class="NoteAlso oac_no_warn" summary="" cellpadding="3" cellspacing="0"> <tbody> <tr> <td align="left"> <p class="notep1">See Also:</p> <a href="bldapp_item.htm#BCECAHHJ">"Understanding Page-Level Items"</a></td> </tr> </tbody> </table> <br /></div> <!-- class="inftblnotealso" --></div> </div> <!-- class="sect4" --> <div class="sect4"><a id="sthref1954" name="sthref1954"></a> <h3><a name="HTMDB25746" id="HTMDB25746"></a>About the Rules Used to Determine Whether to Escape Values</h3> <p>The Application Express engine uses predefined smart escaping rules to determine if and when to escape values fetched from session state.</p> <p>The reason for these rules is that items that use the display types listed previously are often for text containing HTML that is intended to be emitted to the browser without being filtered (that is, escaped). The only way this can be made safe is by the enforcement of the rule that these types of items are always escaped on input to the application. For example, if a user passes some text into a safe item using an Oracle Application Express f?p URL syntax, the Application Express engine escapes special characters when saving the value into session state. This has two intended results:</p> <ol> <li> <p>If the value contained no special characters, the value passed in is saved into session state exactly as it was provided.</p> </li> <li> <p>If the value contained special characters, those characters are escaped when the value is saved into session state.</p> </li> </ol> <p>In either situation, the item can now safely be referenced using an <code>&ITEM.</code> notation in any HTML region or other static area mentioned previously.</p> </div> <!-- class="sect4" --> <div class="sect4"><a id="sthref1955" name="sthref1955"></a> <h3><a name="HTMDB25747" id="HTMDB25747"></a>Using Safe Item Types to Hold and Emit HTML Markup</h3> <p>You can use the safe item types listed previously to hold and emit HTML markup to the browser. For example, suppose you have a requirement to render some text in bold face by referencing a safe page item named <code>P1_XXX</code> (using <code>&P1_XXX</code>.) The item <code>P1_XXX</code> is presumed to contain the following HTML:</p> <pre xml:space="preserve" class="oac_no_warn"> <b>ABABABAB</b> </pre> <p>You can achieve this by using application controls (computations, processes, item source expressions, item default values, and so on) to store values into these safe items. When values are introduced in this way, you ensure the safety of the content. When you use these methods, the Application Express engine does not escape any special characters when saving the values into session state.</p> <p>Finally, the safety of safe items is ensured by a rule that prevents those items from being posted on a page and submitted to the Application Express engine as part of a page submission.</p> </div> <!-- class="sect4" --></div> <!-- class="sect3" --> <a id="BCGIEDIH" name="BCGIEDIH"></a> <div class="sect3"> <h2><a name="HTMDB25748" id="HTMDB25748"></a>Protecting Dynamic Output<a id="sthref1956" name="sthref1956"></a></h2> <p>Items fetched from session state and rendered using <code>htp.p</code> or other methods should be explicitly escaped by the code where it is appropriate to do so. For example, suppose a PL/SQL dynamic content region on a page uses the following:</p> <pre xml:space="preserve" class="oac_no_warn"> htp.p(v('SOME_ITEM')); </pre> <p>If the value of the item fetched from session state could contain unintended tags or scripts, you might want to use the following in the region:</p> <pre xml:space="preserve" class="oac_no_warn"> htp.p(htf.escape_sc(v('SOME_ITEM'))); </pre> <p>However, if you are confident that the fetched value is safe for rendering, you do not need to escape the value. As a developer, you need to determine when it is appropriate to not escape output.</p> <p>As a best practice, follow this rule:</p> <ul> <li> <p>Never emit an item fetched from session state without escaping it unless the item is one of the safe types described in <a href="#CHDGEEFC">"About Safe Item Display Types"</a>.</p> </li> </ul> <p>The reason for this is that as a developer, there is no way you can prevent a hacker from posting a malicious value into a non-safe item. Even if your application does not present these items visibly to ordinary users, be aware that a hacker can mount a XSS attack using your application if you do not follow this rule.</p> </div> <!-- class="sect3" --> <a id="BCGIIFHI" name="BCGIIFHI"></a> <div class="sect3"> <h2><a name="HTMDB25749" id="HTMDB25749"></a>Protecting Report Regions<a id="sthref1957" name="sthref1957"></a></h2> <p>The Application Express engine escapes data rendered in the body of a report. References to session state in report headings and messages are fetched from session state using the smart escaping rules so that the values of safe item types are not escaped and the values of other item types are escaped.</p> </div> <!-- class="sect3" --> <a id="BCGGAJIF" name="BCGGAJIF"></a> <div class="sect3"> <h2><a name="HTMDB25750" id="HTMDB25750"></a>Protecting Form Items<a id="sthref1958" name="sthref1958"></a></h2> <p>When form items, including hidden items, obtain their values during the generation of the form page to be sent to the browser, the resulting text is escaped before rendering. Some of the safe item types are exceptions to this rule in order to support the intended behavior of each display type.</p> </div> <!-- class="sect3" --></div> <!-- class="sect2" --> <!-- Start Footer --> <div class="footer"> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <col width="86%" /> <col width="*" /> <tr> <td align="left"><span class="copyrightlogo">Copyright © 2003, 2009, Oracle and/or its affiliates. All rights reserved.</span><br /> <a href="dcommon/html/cpyr.htm"><span class="copyrightlogo">Legal Notices</span></a></td> <td align="center"><a href="sec_zero_sessionid.htm"><img src="dcommon/gifs/leftnav.gif" alt="Previous" /><br /> <span class="icon">Previous</span></a> </td> <td align="center"><a href="sec_session_encrypt.htm"><img src="dcommon/gifs/rightnav.gif" alt="Next" /><br /> <span class="icon">Next</span></a></td> </tr> </table> </div> <!-- class="footer" --> </body> </html>
Ms-Dos/Windows
Unix
Write backup
jsp File Browser version 1.2 by
www.vonloesch.de