Apex escaping output

Simply put: Is ANY way to tell APEX to NOT escape the result of a query?
See this post: Re: Using a function in a report query
Works great in PL-SQL, but APEX refuses to leave it alone :-(

Sorry if it wasn't clear. What I am referring to is the output of a Report Query. [Application/Shared Components/Report Queries] The output is always escaped XML.
Apex is generating this output. How do I tell APEX NOT to escape the Report Query output? I know that APEX is creating an XML message for the report source--in this case a BI Publisher report--but even if the target was something else, I still need the option to create the source via an alternative method; a procedure, for example.

Similar Messages

Burgreport: missing alias on Listview column results in escaped output

Hi,
i'm on apex.oracle.com and create a mobile application.
When having a Listview with this query:
SELECT A.STATE_NAME||'- '||B.ST
, A.ST AS AST
, B.ST AS BST
FROM DEMO_STATES A, DEMO_STATES BThe resulting list shows an escaped output of the display column: &A.STATE_NAME||'- '||B.ST.
brgds,
Peter
get Syntax Highlighting for the Application Builder: http://apex.oracle.com/pls/apex/f?p=APEX_DEVELOPER_ADDON:ABOUT:0:::::
Blog: http://www.oracle-and-apex.com
ApexLib: http://apexlib.oracleapex.info
BuilderPlugin: http://builderplugin.oracleapex.info
Work: http://www.click-click.at and http://www.wirsindapex.at
Fantastic Plugins for APEX: http://www.tryfoexnow.com

Hi Peter,
I have filed bug 16396156 - mobile: list view column using a sql expression with no alias doesn't work
for this issue.
As you may know, the workaround is to always specify a column alias for each SQL expression.
Regards
Patrick
My Blog: http://www.inside-oracle-apex.com
APEX Plug-Ins: http://apex.oracle.com/plugins
Twitter: http://www.twitter.com/patrickwolf

APEX Report Output Formats

In the SQL Workshop query builder can the output of these queries be changed to HTML or ASCII? We have WEBDB running and are able to change the output formats at run time.

Hello Andy,
The APEX Query Builder was not designed as a report generator. It’s main purpose is to allow novice users to create SQL queries in a bit more friendly manner. After testing the validity of the query, with the displayed format type, you should actually copy the generated SQL code into an appropriate page region, like a report region.
The configuration options of this specific tool are very limited, and as far as I know, the kind of things you are asking for can’t be done in this version. One of the major additions to APEX 4.0 will be something (I don’t know the final name for it) that will allow you to do the sort of things you are asking for.
>> Also cant he number of records that are displayed by increased to say 1000 or 4000 rather then 15?
You can’t change the displayed number of records in the Query Builder. A possible work around can be to copy the SQL query into the SQL Commands. There you can control the number of displayed records.
Regards,
Arie.
&diams; Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.
&diams; Forthcoming book about APEX: Oracle Application Express 3.2 – The Essentials and More

APEX 2.2 output type

to all APEX guru ...
does apex 2.2 now support dynamic pdf output? can you link an apex application/output to a non-apex app that's built or run on the same technology (HTTP and MOD-PLSQL)? i'm asking this coz we have a web app that's been built using these tech (http and mod-plsql using IAS 1.0.2 or 10gAS R1) ... but this doesn't support output to pdf ... so we're looking for APEX if that's possible ...
TIA ...

Acording to SAP, this is the standard behaviour of the software

A question about error with jasperserver for pdf and Apex

I have created a pdf report on jasperserver and I can call it from apex via a url and it displays fine. The url is this format {http://server:port/jasperserver/flow.html?_flowId=viewReportFlow&reportUnit=/reports/Apex/deptemp&output=pdf&deptNo=#DEPTNO#&j_username=un&j_password=pw}
However, I am trying to follow a stored procedure executed from Apex so it would not expose the username/pwd in the url like above.
If I am reading the apache error log correctly it is erroring in this piece of the code below where it executes {Dbms_Lob.writeAppend}
loop
begin
-- read the next chunk of binary data
Utl_Http.read_raw(vResponse, vData);
-- append it to our blob for the pdf file
Dbms_Lob.writeAppend
( lob_loc => vBlobRef
, amount => Utl_Raw.length(vData)
, buffer => vData
exception when utl_http.end_of_body then
exit; -- exit loop
end;
end loop;
Utl_Http.end_response(vResponse);}
The error log says this; HTTP-500 ORA-14453: attempt to use a LOB of a temporary table, whose data has alreadybeen purged\n
What is this error telling me and how can I correct it?
The stored procedure I am following is below but replaced the vReportURL with my url like above that works.
Thank you,
Mark
{CREATE OR REPLACE procedure runJasperReport(i_deptno   in varchar2)
is
vReportURL       varchar2(255);
vBlobRef         blob;
vRequest         Utl_Http.req;
vResponse        Utl_Http.resp;
vData            raw(32767);
begin
-- build URL to call the report
vReportURL := 'http://host:port/jasperserver/flow.html?_flowId=viewReportFlow'||
     '&reportUnit=/reports/Apex/deptemp'||
     '&output=pdf'||
     '&j_username=un&j_password=pw'||
     '&deptNo='||i_deptno;
-- get the blob reference
insert into demo_pdf (pdf_report)
values( empty_blob() )
returning pdf_report into vBlobRef;
-- Get the pdf file from JasperServer by simulating a report call from the browser
vRequest := Utl_Http.begin_request(vReportUrl);
Utl_Http.set_header(vRequest, 'User-Agent', 'Mozilla/4.0');
vResponse := Utl_Http.get_response(vRequest);
loop
begin
-- read the next chunk of binary data
Utl_Http.read_raw(vResponse, vData);
-- append it to our blob for the pdf file
Dbms_Lob.writeAppend
( lob_loc => vBlobRef
, amount => Utl_Raw.length(vData)
, buffer => vData
exception when utl_http.end_of_body then
exit; -- exit loop
end;
end loop;
Utl_Http.end_response(vResponse);
owa_util.mime_header('application/pdf',false);
htp.p('Content-length: ' || dbms_lob.getlength(vBlobRef));
owa_util.http_header_close;
wpg_docload.download_file(vBlobRef);
end runJasperReport;
/}

I am new to working with working with jasperserver to apex interfacing, and also using utl_http with binary data.
But I guess typing my question down helped me figure out a way to make it work for me.
I combined info from http://www.oracle-base.com/articles/misc/RetrievingHTMLandBinariesIntoTablesOverHTTP.php
and from http://sqlcur.blogspot.com/2009_02_01_archive.html
to come up with this procedure.
{create or replace PROCEDURE download_file (p_url IN VARCHAR2) AS
l_http_request   UTL_HTTP.req;
l_http_response UTL_HTTP.resp;
l_blob           BLOB;
l_raw            RAW(32767);
BEGIN
-- Initialize the BLOB.
DBMS_LOB.createtemporary(l_blob, FALSE);
-- Make a HTTP request, like a browser had called it, and get the response
l_http_request := UTL_HTTP.begin_request(p_url);
Utl_Http.set_header(l_http_request, 'User-Agent', 'Mozilla/4.0');
l_http_response := UTL_HTTP.get_response(l_http_request);
-- Copy the response into the BLOB.
BEGIN
    LOOP
      UTL_HTTP.read_raw(l_http_response, l_raw, 32767);
      DBMS_LOB.writeappend (l_blob, UTL_RAW.length(l_raw), l_raw);
    END LOOP;
EXCEPTION
    WHEN UTL_HTTP.end_of_body THEN
      UTL_HTTP.end_response(l_http_response);
END;
-- make it display in apex
owa_util.mime_header('application/pdf',false);
htp.p('Content-length: ' || dbms_lob.getlength(l_blob));
owa_util.http_header_close;
wpg_docload.download_file(l_blob);
-- Release the resources associated with the temporary LOB.
DBMS_LOB.freetemporary(l_blob);
EXCEPTION
WHEN OTHERS THEN
    UTL_HTTP.end_response(l_http_response);
    DBMS_LOB.freetemporary(l_blob);
    RAISE;
END download_file; }
Don;t know what I did wrong, but I could not create an 'on-demand' process to call my procedure. I did not understand what it means when it says 'To create an on-demand page process, at least one application level process must be created with the type 'ON-DEMAND'.
so I had to use a blank page with a call to my procedure in the onload - before header process and that seems to work ok.
Thank you,
Mark

Apex : link to jasperReport

Hi everybody
i found a blog (http://sqlcur.blogspot.com/2009/02/jasperreports-in-apex.html) about an URL which enable to access my report published with iReport and JasperServer, and passing parameter
but i'm not sure to understand very well all elements in this URL
http://server:port/jasperserver/flow.html?_flowId=viewReportFlow&reportUnit=/reports/Apex/deptemp&output=pdf&deptNo=#DEPTNO#&j_username=un&j_password=pw
I think i can understand all the elements except how to use "reportUnit" :
- Have i to create this path in my tomcat/webapps/jasperserver/ directory ? or can I change it like i want ?
- and is "deptemp" the name of my .jrxml file or something else?
for instance, i can write this URL in column link field of my report in my Apex application :
http://localhost:8180/jasperserver/flow.html?_flowId=viewReportFlow&reportUnit=/reports/apexTest&output=pdf&idEmp=#ID_EMP#&j_username=jasperadmin&j_password=jasperadmin
my SQL query is for instance:
select ID_EMP, NAME_EMP from EMP where ID_EMP = $P{idEmp}
i have actually created a directory called reports/ in my jasperserver/ directory and my jrxml file is called apexTest.jrxml
but it doesn't work so i think it can be because of the reportUnit path...
thanks in advance for your help
Newbie

Ok, so here's the deal...
I'm running an application that displays information on every viaduct in the city of chicago. Each viaduct has a reference number (unique).
I'm also running a separate application (externally) in a program called Digital paper. This program stores pictures of the viaducts, all indexed by the same unique reference number.
I also have an seperate application (external) that shows the location of the viaduct on a map. The application is called ArcGIS. These locations are also referenced by the same unique reference number.
I want to link these three applications together so that they work together so that I won't have to create duplicate entries. I also want to be able to go into APEX, see the viaduct information and be able to link to its mapped location or photo.
Am I shooting for the stars or what??? Is this at all possible?

Bug? - Submitting page with html name attribute in content

Hello,
I use a modified version of Task Manager to track tasks in my group at work. I wanted a "non-standard" report to show the users the history of their task at the bottom of a page. Basically I created a PL/SQL function that returns preformatted HTML as I would like it to be displayed in a row of the report. The end result is great - a highly customized report layout with little effort.
The problem is that recently a user copied and pasted some HTML from another web application into the body of a task and saved it. The next time the task was opened my report at the bottom displayed what they had entered previously. However, this time when the user clicked save and submitted the page, he got a page can not be displayed error. After a little digging, I found that the HTML the user had pasted previously contained an HTML element that had a name attribute. When I removed the name attribute, the page submitted fine which leads me to believe that the ApEx engine tried to bind the value of that item with an application item and it choked when no match was found - similar to the way it chokes if you submit a valid item that contains more than 32767 bytes of information.
The fix for my situation is simple. I'll use regular expressions to find these name attributes when saving the page and strip them out. I only bring it up because it could possibly effect other users that might not be able to figure out what the problem is.
Regards,
Dan
http://danielmcghan.us
http://sourceforge.net/projects/tapigen

Dan,
Part of the data stream being emitted to the page is:
< input type="hidden" name="_ctl0:_ctl34:_ctl0:dgCriteria" value="_ctl0:_ctl34:_ctl0:dgCriteria" ...
Since your report does not escape the data, it gets interpreted by the browser as HTML -- a form input item in this case. And yes, modplsql complains because that name cannot be bound to a PL/SQL input parameter in the form-handling procedure.
The correct way to handle this generic problem (second-order cross-site scripting) is to always escape output to the browser unless you control the content from origin to the time it is emitted.
Scott

Special character problem in XSLT

When using escaped output charcters like:
< &; > &quote; etc, the lt and amp just don't seem to be handled correctly. Result for the above code is:
< & > "Instead of the < and & you would expect, you get the ascii codes.
What do I have to do to get < and & in my output?
null

hi,
[Problem in transforming XML to string using XSLT;
Chk the above link.might solve ur issue.
Regards.
Siddhesh Naik

10g - CSS set to 800 px. - how to centre on screen

Have set up skins, etc. in CSS and set width to 800 px. but am having trouble getting the pages to render in the centre of the screen not to the left.
I have tried setting left and right margins to auto (as this works in Dreamweaver with CSS) but this has had no effect.
Can anyone please offer a solution?
Thanks
Jo

Has anybody found a way to create a drop down menu for a horizontal top menu?
I feel half way there in that I call javascript in each top menu item
<af:commandMenuItem id="menuItem" text="#{msg[foo.label]}" action="#{foo.action}" rendered="#{foo.rendered}" onmouseover="popmenu(this)">
And include the java script for each sub menu item.
<af:outputText id="menuScript" escape="false" value="#{MenuManager.menuScript}"/>
But I can not then have clickable < af:commandLink> inside the drop down menu since then they are not parsed by ADF (included in the non-escaped output text) :-(
I can only do simple links or tried using a filter using reflection in the filter to get the backing beans and methods, but here get a null pointer exception if I try to get the: FacesContext.getCurrentInstance().getExternalContext()
Any ideas?

Working with LIKE operator

hi,
i have a small confusion in escape clause.
create table products (product_name varchar2(100));
begin
insert into products (product_name) values('A%_WQ123');
insert into products (product_name) values('A%BWQ123');
insert into products (product_name) values('AB_WQ123');
commit;
end;
select * from products where product_name like '%\%_WQ12%' escape '\';
output:
product_name
A%_WQ123
A%BWQ123
can you please tell how this is working, in the above statment the ESCAPE will escape only % or both %and_
thanks,

Are you after this?
select * from products where product_name like '%\%\_WQ12%' escape '\';
Cheers,
Manik.

Get xmlType column into xsql page

I have a table with normal columns such as string types, plus one xmlType column.
For example, the xmltype column can be <mark>ibm</mark>.
In xsql page, I tried to select all the columns out (including the xmltype col).
I want the xml column as part of the final xml output such as:
<?xml version="1.0" encoding="ISO-8859-1"?>
<page>
<ROWSET>
<ROW num="1">
<xmlcolumn>
<mark>ibm</mark>
</xmlcolumn>
</ROW>
</ROWSET>
</page>
I found out that I can't just do:
select t.xmlcolumn from table t;
The page complain that can't convert xmlType to string.
So I did
select t.xmlcolumn.getClobString() as xmlcolumn from table t;
However I got:
<?xml version="1.0" encoding="ISO-8859-1"?>
<page>
<ROWSET>
<ROW num="1">
<xmlcolumn><mark>ibm&/lt;mark>
</xmlcolumn>
</ROW>
</ROWSET>
</page>
It seems that xsql translate the <mark>ibm</mark> to real String instead of integrate it into the final xml string.
Does anyone know how to do this?
Thanks a lot.
Kai.

hi
I have this:
CREATE TABLE XML_TAB (XMLVAL XMLTYPE);
INSERT INTO XML_TAB VALUES (XMLTYPE('<EMP><EMPNO>666</EMPNO><ENAME>Jef</ENAME></EMP>'));
INSERT INTO XML_TAB VALUES (XMLTYPE('<EMP><EMPNO>777</EMPNO><ENAME>Jan</ENAME></EMP>'));So in SQL*Plus "SELECT XMLVAL FROM XML_TAB" gives:
XMLVAL
<EMP>
<EMPNO>666</EMPNO>
<ENAME>Jef</ENAME>
</EMP>
<EMP>
<EMPNO>777</EMPNO>
<ENAME>Jan</ENAME>
</EMP>If I try this test1.xsql:
<xsql:query connection="my_conn" xmlns:xsql="urn:oracle-xsql">
SELECT XMLVAL FROM XML_TAB
</xsql:query>I get java.lang.NoClassDefFoundError: oracle/xdb/XMLType
If I try this test2.xsql:
<xsql:query connection="my_conn" xmlns:xsql="urn:oracle-xsql">
SELECT (XMLVAL).getClobVal() AS XMLVAL FROM XML_TAB
</xsql:query>I get this "escaped output":
<?xml version = '1.0'?>
<ROWSET>
   <ROW num="1">
      <XMLVAL>&lt;EMP>&lt;EMPNO>666&lt;/EMPNO>&lt;ENAME>Jef&lt;/ENAME>&lt;/EMP></XMLVAL>
   </ROW>
   <ROW num="2">
      <XMLVAL>&lt;EMP>&lt;EMPNO>777&lt;/EMPNO>&lt;ENAME>Jan&lt;/ENAME>&lt;/EMP></XMLVAL>
   </ROW>
</ROWSET>But I want this, just XML:
<?xml version="1.0" ?>
<ROWSET>
     <ROW num="1">
          <XMLVAL><EMP><EMPNO>666</EMPNO><ENAME>Jef</ENAME></EMP></XMLVAL>
     </ROW>
     <ROW num="2">
          <XMLVAL><EMP><EMPNO>777</EMPNO><ENAME>Jan</ENAME></EMP></XMLVAL>
     </ROW>
</ROWSET>So if I understand your suggestion and try this wrapper.xsql:
<xsql:include-xsql xmlns:xsql="urn:oracle-xsql" href="test2.xsql" reparse="yes"/>... I still get the same "escaped output" as above
In the xsu12.jar I use is a file named "XSU12_VERSION_9_2_0_1_0_rdbms", does this tell me anything about the version?
What am I doing wrong here?
tnx
-Jan

Philosophy, Best Practices and SOP??

Background: Most of my development experience has evolved from VB, VC++ and the like; not JSPs, Servlets, HTML, etc But I like it
Brief: I am currently developing some jsps that are initialized with data on load. I have a table that gives me a complete list of items, I only show details for one item at a time. On selecting any given item I reload the page and retrieve the details for the selected item. I use the JNDI principles in loading the information and servlets to add, edit, or delete the information.
Question: Am I heading down the right path? Is there a better strategy I should be looking at (before I get too far)? Is it wise to use more than one connection when loading the page?
Example Code:
   <%!
        Date cDate = new Date();
        int iMonth = cDate.getMonth();
        int iDay = cDate.getDay();
    %>
    <%
        String gMnth = (String) request.getParameter("mnth");
        String gDay = (String) request.getParameter("eday");
        String gYear = (String) request.getParameter("crdate");
        if(gMnth == null){
          gMnth = Integer.toString(iMonth);
          gDay = Integer.toString(iDay);
          gYear = "2008-09-09 14:19:51"; // need to format received crdate value
        String strQuery = "";
        InitialContext initCtx = new InitialContext();
        DataSource ds = (DataSource)initCtx.lookup("java:comp/env/jdbc/News");
        Connection conn = ds.getConnection();
        Connection conn2 = ds.getConnection();
        Statement stmt = conn.createStatement();
        Statement stmt2 = conn2.createStatement();
        strQuery = "select sVal1,sVal2,heading,date_created from news order by sMonth,sDay";
        ResultSet rset = stmt.executeQuery(strQuery);
        strQuery = "select sVal1,sVal2,sVal3,heading,descr_en,descr_pt,link,date_created from news where
        sMonth='" +gMnth+ "' and sDay='" +gDay+ "'";
        ResultSet rset2 = stmt2.executeQuery(strQuery);
    %>I understand the code could use some cleaning, but at this point I just want to make sure I'm going in the right direction. Everything seems to be working; except for the battle I am having working with the data through my .js pages.
Any support friendly advice or comments are welcome.
Thanks to the experts!!!
Steve

Looks like you aren't leaking connections. One way to test is to set your connection pool to 1 or 2 connections max, and test your web application in depth. If you leak a connection, you will get an error. Or you can monitor the connections from the database side.
Cross-site scripting is similar to SQL injection but the execution environment is the user's browser instead of the database. If you don't scrub / filter / escape output of data entered by your users, they can inject logic into your web application that will run in another user's browser. The attack vector can be javascript, img, css, etc. For example, if you allow and display arbitrary data, I can set my user name to jleech<script>do something nasty</script>. And your page that shows one user a list of the others will cause my script to run in other users browsers. See http://en.wikipedia.org/wiki/Cross-site_scripting.
A major weakness of the servlet / jsp model is that it encourages "street" html. The output is streamed bytes, and while there are a few use cases where that is required (image, pdf, serving arbitrary files), most servlets and jsps output html as text. Some tag libraries and other 3rd party libraries try to close this gap, but nothing mandates that all output in a servlet or jsp is passed through c:out, aside from diligence on the part of the developer and / or thorough code reviews. Nothing will do a compile-time check to ensure that a servlet can only produce valid output. There are some XML parsing / binding libraries such as JAXB that will pretty much only produce valid XML to a given schema or dtd, but validation still only happens at the end. And none of the Java XML libraries I've seen would work very well in a JSP. In general the problem it is difficult to look at the code that makes XML using the API and determine what XML it would make. They are procedural in nature, vs. declarative. JSP, aside from the procedural code that can reside in scriptlets, is declarative (as is HTML).

Are there graphs available in any oracle client like slq*plus or pl/sql dev

For example,
can we graph the result of a qeury performance or not, if so how.

user13328581 wrote:
can we graph the result of a qeury performance or not, if so how.Yes. But the graph needs to be rendered by a client. So it all depends on WHAT the client support.
SQL*Plus is character-based (console) client. It cannot render graphics. Or HTML. So it has very limited options to display a graph. E.g. doing a vertical barchart of employee salaries as a percentage of total company amount spend on salaries:
SQL> select ename, rpad('*',round( sal / sum(sal) over (partition by null) * 100),'*') as percentage from emp order by 2;
ENAME      PERCENTAGE
SMITH      ***
JAMES      ***
WARD       ****
MARTIN     ****
ADAMS      ****
MILLER     ****
TURNER     *****
ALLEN      ******
CLARK      ********
SCOTT      **********
BLAKE      **********
JONES      **********
FORD       **********
KING       *****************
14 rows selected.With HTML, this can be done using a HTML table and a single colour image (few pixels) and sizing the image to render according to the percentage value to display.
If a the client is a Flash-based plugin (like Anychart that ships with Oracle Apex), the output needs to be XML.
If the client is a spreadsheet (OpenOffice or MS Excel), then it can directly run the SQL, populate a workspace region with the output, that triggers a graph for that region to be updated.
So the question you are asking has nothing to do with the SQL or PL/SQL languages themselves - but everything to do with WHAT the client is, and the FORMAT it expects the data to render in.
Standard client-server concepts.

Anybody know how to do this ?

Hi,
I'm using apex 4.1,
this is what i'm trying to do.
ex:
- I have a hidden field (P20_TEXT). Source has some static text with html tags.
- I have a select list control and i set the label of this to be &P20_TEXT.
i'm expecting it to get the value of P20_TEXT item and render those html tags and display it as label. but its not rendering the html tag.
Is there any workaround for this ??
Really appreciate if someone can assist me on this.
Thanks guys,
Kuru.

Apex escapes the html codes in the item values while rendering, which will then show the label as html tags.
If that is the case then try this
Edit the item > Label > HTML Table Cell Attributes > give an id="PX_ITEM_NAME_LABEL"
create a dynamic action on page load to execute the below javascript
$('#PX_ITEM_NAME_LABEL').children('label').html(unescape($('#PX_ITEM_NAME_LABEL').children('label').text()));

Computed Region TItles being Escaped in Apex 2.2

In Apex 2.0, HTML contained within a hidden item to be display in a Region's Title was not escaped. <BR>In Apex 2.2, the same information is now escaped and my computed Region titles are displaying HTML text, instead of the HTML.
I would like to be able to generate region titles instead of them just being fixed text.
Is there anything I can do here? It would be great if there was a way to unescape the Title.<BR>
Furthermore:<BR>
If I put the HTML directly into the Region Title, it displays fine. So the question is .... why does the info get escaped if it is in an item for display? You can imagine how long the region title will become if a few anchors are presented in the title.
Message was edited by:
sgreber

Doug:
I agree, I think the help text is, in fact, stating the opposite of the observed behaviour.
Quoting When session state is referenced in this way, the value emitted to the page will have special characters (<, >, &, ") escaped if the referenced item has one of the following safe item display types:
But what we see is that if the referenced item is of type "Hidden", special characters *are* escaped. If the item is a "safe item", then, by definition, it cannot be tampered with, so there is no need to escape it on output!
What worries me is that such a major change was introduced in a minor patch release like 2.2 where even the export/import API version has not changed i.e. it is otherwise compatible in all aspects. I am sure this is going to cause Production applications at many customer sites to break because they rely on HTML markup in &ITEM. variables being rendered unchanged.
Thanks

Apex escaping output

Similar Messages

Maybe you are looking for