Escaping special charechters

Hi all,
In my JSP page i have a text area where special characters also can be entered. When i use �request.getParameter� I get some junk characters instead of the original special characters like ₤ � � ∞ � ┼ № ₣ ∑ etc. I tried using <%request.setCharacterEncoding("UTF-8");%> etc. Any help is appreciated. Thanks a lot in advance.

Hmm ... what do you mean by "get junk characters", where do you display those? I tried the following script with IE, and it worked (displayed the chars I enter):
<%@ page contentType="text/html;charset=UTF-8" %>
<html>
<head>
<title>Bleep</title>
</head>
<body>
<form>
<textarea name="hurz"></textarea> <input type="submit" value="Ok"/><br/>
<%
if (request.getParameter("hurz") != null) {
out.println(request.getParameter("hurz"));
%>
</form>
</body>
</html>

Similar Messages

Escape special characters in url for redirection

In my web page, I want all the characters of the URL to be lower case. For that I created the following method:
private bool UrlFormatoCorrecto(string url)
bool formatoCorrecto = true;
bool upperCa = url.Any(c => char.IsUpper(c));
if (url.Any(c => char.IsUpper(c)))
formatoCorrecto = false;
if (url.Contains(" ") || url.Contains("+"))
formatoCorrecto = false;
return formatoCorrecto;
This works like a charm until a special character appears. The url that I get then will be the following:
http://localhost/web/coches/proven%C3%A7a-aribau,-08036-barcelona,-barcelona
So I have upper case characters. When I redirect it using the following code:
if (!UrlFormatoCorrecto(urlActual))
Response.RedirectPermanent(urlActual.Replace(" ", "-").Replace("+", "-").ToLower());
I get the code again with the same URL with upper case. How can I escape the special characters so they won't bother me anytime I want to make the redirection?

hello,
you could escape special caracters with :
Regex.Escape Method
Regards
Cédric

SQL Injections and XSS - Escaping Special Characters

Hi, hope someone can help in regards to security and SQL Injections and XSS.
We are using APEX 4.0.2 on Oracle 11.2.0.2.
1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
Surely I don't have to manually do each of then.
Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&<>' in session state and/or the database ?
2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
Thx
Nigel

Recx Ltd wrote:
Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
Apex applications that share the database with other applications will also be affected.
The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use—see 6(j).
Promotional posts like this are liable to be removed by the moderators.

How to escape special xml characters in ALSB

Hi
Can some one tell me how to replace special xml characters < ,> with < and >
I have xml node like below
<payload>
<RatingDetails>
<Action>Add</Action>
</payload>
Using fn-bea:serialize i got xml string as
<payload><RatingDetails><Action>Add</Action></payload>
I want output as below
<payload><RatingDetails><Action>Add</Action></payload>
Appreciate your help
Thanks in Advance

when i use fn-bea:serialize my request xml node converted to xml string.To that string i had escaped special xml characters.
Original request:
<abc>
<a1 >123</a1>
<payload>
<d>345</d>
<e><678></e>
</payload>
</abc>
After using serialize it became as below (everything in one line)
<abc><a1>123</a1><payload><d>345</d><e><678></e></payload></abc>
then i used java callout for replacing special xml chars in payload element,
now my request is
<abc><a1>123</a1><payload><![CDATA[& lt;d& gt;345& lt;/d& gt;& lt;e& gt;& lt;678& gt;& lt;/e& gt;]]></payload></abc>
i dont want my payload data to be enclosed within CDATA but by default i am getting it when i run my xquery for generating request.
This might be because & will not get parsed in xml parser so enclosing evrything in CDATA.
Need solution to remove CDATA and send the payload data as it is..

How to escape special characters in Simple Transformation

Hi Experts,
I have got a problem to get a well formed xml document from the below simple transformation. The content of maktx contains
special characters like & <, which are not allowed in a well formed XML-Document. But the result of the Simple Transformation
contains this charcters even after the transformation as you can the in the result below. Has anyone a hint how to escape the
characters included in the maktx.
The transformation for maktx, should be something like
Before: Material & < TEST
After: Material &amp &lt TEST
Report wihich calls the simple transformation
types:
BEGIN OF t_mat,
   matnr type matnr,
   maktx type maktx,
end of t_mat.
Data:
mat type t_mat,
xml_stream type xstring.
START-OF-SELECTION.
mat-matnr = '4711'.
mat-maktx = 'Material & < Test'.
CALL TRANSFORMATION ztest_st2
        SOURCE mat = mat
        RESULT XML xml_stream.
CALL FUNCTION 'DISPLAY_XML_STRING'
EXPORTING xml_string = xml_stream.
Simple Transformation
<?sap.transform simple?>
<tt:transform xmlns:tt="http://www.sap.com/transformation-templates">
<tt:root name="MAT"/>
<tt:template>
    <Leistungsschild>
        <CHARACT> MATNR </CHARACT>
        <CHARACT_DESCR> Materialnummer </CHARACT_DESCR>
        <VALUE tt:value-ref="MAT.MATNR"/>
        <CHARACT> MAKTX </CHARACT>
        <CHARACT_DESCR> Materialkurztext </CHARACT_DESCR>
        <VALUE tt:value-ref="MAT.MAKTX" />
    </Leistungsschild>
</tt:template>
</tt:transform>
RESULT
<?xml version="1.0" encoding="utf-8" ?>
<Leistungsschild>
<CHARACT>MATNR</CHARACT>
<CHARACT_DESCR>Materialnummer</CHARACT_DESCR>
<VALUE>4711</VALUE>
<CHARACT>MAKTX</CHARACT>
<CHARACT_DESCR>Materialkurztext</CHARACT_DESCR>
<VALUE>Material & < Test</VALUE>   </Leistungsschild>

Hi Sandra,
First of all thaks for your quick answer to my problem.
I see what you mean and get the same result, if I am using data-type string instead of xstring. But the recommendation in the XML-Books of SAP is to use XSTRING to save memory and circumflex problems between Codepages, when writing the XML-Stream to a filesystem.
As you can see in the code abvoe I am using a SAP-FM to display the XML-Stream and this FM works only with XSTRING´s,
that is one reason why I don´t understand that it displays it in the wrong way.
Even the Debugger shows me for the XSTRING the wrong result. Does all that mean that the escaping will not be applyed if you are working with XSTING´s??

Strategies for escaping special characters.

Hi all,
Our app(built using Workshop) needs to have a generic way of scrubbing special
characters that a user might enter in the UI,and which might cause our sql that
queries the DB to become malformed. To explain further,some of our DB controls
are not using PreparedStatements to set Strings..instead, we are constructing
the sql as a java string like:
String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
and then we do:
Statement stmt=conn.createStatement();
stmt.executeQuery(myQuery).
In such cases, Oracle JDBC driver does not escape any special chars in the String
param,and fails.Other than converting all our queries to use PreparedStatements,
is there a generic pattern/Util class(mebbe RequestUtils) or some way of using
the Servlet Filter API to scrub out any special chars that are input by the user?
Thanks in advance.
Vik.

ServletFilter is the way to go on this one. Don't think there is anything built
into Servlet spec that handles these characters, however, there are a number of
sample filters that do such a task. I think there is a sample in either the O'Reilly
book on Servlets or Core Servlets.
"Vik" <[email protected]> wrote:
>
Hi all,
Our app(built using Workshop) needs to have a generic way of scrubbing
special
characters that a user might enter in the UI,and which might cause our
sql that
queries the DB to become malformed. To explain further,some of our DB
controls
are not using PreparedStatements to set Strings..instead, we are constructing
the sql as a java string like:
String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
and then we do:
Statement stmt=conn.createStatement();
stmt.executeQuery(myQuery).
In such cases, Oracle JDBC driver does not escape any special chars in
the String
param,and fails.Other than converting all our queries to use PreparedStatements,
is there a generic pattern/Util class(mebbe RequestUtils) or some way
of using
the Servlet Filter API to scrub out any special chars that are input
by the user?
Thanks in advance.
Vik.

Escaping special characters

Environment:
Client: win2k sp4, 10.2 client
Server: 9.2 on solaris 9
Is there any way to set an escape character?
Many times we have '&' characters in strings in procedures, and when I try to compile them sqldeveloper prompts for a value thinking that it is a variable.
I've tried the default '\', and 'set escape on' doesn't work either.
Would be even better if there was an option in sqldeveloper to tell it to ignore the '&' character alltogether.
Thanks.

not really the answer I was looking for :(
the devs would end up driving me nuts wondering what all the CHR stuff is in their code.
i guess for now, i'll just keep using PLedit to compile all the procs that have any special chars.
...someday we'll have one tool that does everything ;)

Escape special characters for OData response

Hi all,
I'm facing a problem on HTTP response when some special characters are in my entity fields.
For example I've got a Edm.String field which has characters like ###, ", < (two number signs ## are ok, but three invoke an error)
When I set output format to xml via URI parameter $format=xml, I get following error:
<message xml:lang="en">In the context of Data Services an unknown internal server error occured</message>
Exception /IWCOR/CX_DS_INTERNAL_ERROR in class /IWCOR/CL_DS_EP_WRITER_OUTPUT method /IWCOR/IF_DS_EP_WRITER_OUTPUT~WRITE and Line 39
If I use JSON as output format, HTTP response code is 200!!, but payload just ends on the character which cannot be interpreted:
(ABAP)-JSON generator can handle double quotes much better than XML format:
How can I escape these output strings, without adding chars which will appear in response payload?
Thanks,
Steffen

Hi Uwe & Ron,
thanks for your ideas, but maybe we're not talking about binary data?! This field is an example from TADIR table.
OData entity definition for this field:
Versid
Edm.String
0
0
20
ABAP field definition:
Data Type        CHAR - Character String
No. Characters       20
Decimal Places        0
Output Length        20
Convers. Routine    <empty>
Uwe did you mean another debugger view?
SE16 output for this line:
What if I want to store and receive data with these special chars like ####, ", <, >,... in a ABAP char field (respective OData Edm.String)?
Thanks,
Steffen

Howto escape special characters if using regexp_replace & regexp_substr

hello experts,
following test case
insert into querytest1 (d) values
('#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11');
select regexp_replace(d, REGEXP_SUBSTR (REGEXP_SUBSTR(d, '[^ ]+', 1, 1), '[^:]+', 1, 2 ),'') from querytest1;
ERROR at line 1:
ORA-12726: unmatched bracket in regular expression
proof that []{} special characters are the problem:
delete from querytest1;
commit;
-- insert data without special characters
insert into querytest1 (d) values ('#1(170):"type":"FACEBOOK","count":0,"lastEdition":1382627403299,"type":"GOOGLE","count":0,"lastEdition":1381825285002,"type":"EMAIL","count":2,"lastEdition":1381826322925] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11');
select regexp_replace(d, REGEXP_SUBSTR (REGEXP_SUBSTR(d, '[^ ]+', 1, 1), '[^:]+', 1, 2 ),'') from querytest1;
REGEXP_REPLACE(D,REGEXP_SUBSTR(REGEXP_SUBSTR(D,'[^]+',1,1),'[^:]+',1,2),'')
#1(170)::"FACEBOOK","count":0,"lastEdition":1382627403299,:"GOOGLE","count":0,"lastEdition":1381825285002,:"EMAIL","count":2,"lastEdition":1381826322925,:"EMAIL","count":2,"lastEdition":1381826322925] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11
so now it works because there are no special characters []{}
is there a way to escape them?
thank you in advance.

oraman wrote:
ok you're right I explain from the beginning.
create table t (q varchar2(4000), d varchar2(4000), result varchar2(4000));
insert into t (q,d) values ('#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11',
'UPDATE mytable set value=:1 , valuec=:2 , longvalue=:3 , doublevalue=:4 WHERE productattrnameid=:5 AND productid=:6   AND context=:7');
I would like to get the following:
select result from t;
UPDATE mytable set value='[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}]' , valuec=NULL , longvalue=-3141 , doublevalue=-3141 WHERE productattrnameid=21804 AND productid=3890750   AND context='s11';
the logic is to get the auditing data as ready to execute queries.
It looks you want to include every parameter where parameter is a pattern prefixed by #p1(lenght):param_value #p2(lenght):param_value etc.
Something like this?
set line 1000
col txt format a200
with querytest1 as
select '#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11' d
from dual
select 'UPDATE mytable set value='''|| nvl(trim(regexp_substr (d,'#\d+$\d+$:([^# ]+)', 1, 1, null, 1 )), 'NULL')||''''
       || chr(10) ||'     , valuec='||nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 2, null, 1 )), 'NULL')
       || chr(10) ||'     , longvalue='|| nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 3, null, 1 )),'NULL')
       || chr(10) ||'     , doublevalue='||nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 4, null, 1 )),'NULL')
       || chr(10) ||' WHERE productattrnameid='||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 5, null, 1 )
       || chr(10) ||'   AND productid='||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 6, null, 1 )
       || chr(10) ||'   AND context='''||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 7, null, 1 )||''';' txt
from querytest1;
Result:
TXT
UPDATE mytable set value='[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}]'
     , valuec=NULL
     , longvalue=-3141
     , doublevalue=-3141
WHERE productattrnameid=21804
   AND productid=3890750
   AND context='s11';
1 row selected.
I have a problem formatting the output in the forum but I hope you get it.
Regards.
Alberto

Escaping special characters in SECURITY_PRINCIPAL

I am trying to connect to AD-LDAP with
env.put(Context.SECURITY_PRINCIPAL, "CN=cn /18,CN=Users,DC=company,DC=com");
As you can see I have a / character in my DN. I cannot get a context using this security_principal, I am always getting javax.naming.AuthenticationException. When my DN does not contain / or any special character everything works fine. I thought I had to maybe escape / so I tried
env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\/18,CN=Users,DC=company,DC=com");
env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\\\/18,CN=Users,DC=company,DC=com");
env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\\\\\/18,CN=Users,DC=company,DC=com");
without any success.
Thanks in advance,
Nikola

That did not seem to help. By the way, I was really looking for a more generic answer since for example I have the same problem when my SECURITY_PRINCIPAL DN includes /, \, or ' characters.

How to escape special characters in a region title

I have created a drill down report where the second report is filtered by a value chosen in the first report. I am using &Pn_field. syntax to pass the name of the select value to the region title of the second report. Some of the returned values have a ':' in them and therefore the text does not print after the ':'. How do I escape the ':' in the region title?
regards
Paul P

Paul,
I think your question is "How do I use f?p URL syntax to pass data values to a page where the data includes a colon?" (Please correct me if that's not the issue.) The answer is, you can't. Same with commas. HTML DB reserves those two characters for the f?p request syntax. You'll have to save the string into the item before the page branch. There is no restriction on what characters can be used in a region title, it's just HTML-formatted text, except that you must escape anything that looks like HTML unless you want the browser to treat it as HTML. There are restrictions, however, on what characters you can pass in URLs in general and you must take care to escape them properly, e.g., ?, &, whitespace.
And do speak up if I've missed the point.
Scott

Dynamic Images in PDF and Escaping Special Characters

I used the following to create my own PDFs with dymnamic images:
http://marcsewtz.blogspot.com/2012_02_01_archive.html (Dynamic Images in PDF - What 32k Limit? )
I have installed this application on Oracle's free workspace to test.
The issue I am having is that when there is a special character in the description, such as <>'"& then the the PDF will not open. I have tried using the dmbs_xmlgen.convert to convert the description but haven't had any luck.
I'm a complete novice with xml. Any help with this is greatly appreciated.
Thanks,
Glen

I have been able to find a solution, but it's not completely perfect. I have changed the "description" field as follows:
XMLCdata(replace(description,''&'',''and'')) description,
The characters greater than (>), less than (<), single qoute('), and double quote (") can now all be in the description and will not cause errors. For some reason, I couldn't get the & not to give an error no matter what I tried, so I just replaced the & with the word "and". This solution will work for my needs, but it would be nice to be able to get the & to display.
Does anyone know of a way to get the & to display correctly?
Thanks again,
Glen
The complete code I am using is below:
declare
l_print_layout clob;
l_xml_data clob;
begin
-- load print layout from database
for c1 in (
select layout from eba_pdfimg_layouts where id = :P1_LAYOUT
) loop
l_print_layout := wwv_flow_utilities.blob_to_clob(c1.layout );
end loop;
-- generate XML data
for c2 in (
select dbms_xmlgen.getxml('
select
id,
file_name,
mime_type,
XMLCdata(replace(description,''&'',''and'')) description,
-- description,
blob2clobase64(image,''Y'') image
from eba_pdfimg_images
') xml_data from dual
) loop
l_xml_data := c2.xml_data;
end loop;
-- download print document
wwv_flow.g_page_text_generated := true;
apex_util.download_print_document (
p_file_name => 'image_demo',
p_content_disposition => 'ATTACHMENT',
p_report_data => l_xml_data ,
p_report_layout => l_print_layout,
p_report_layout_type => 'rtf',
p_document_format => :P1_FORMAT
end;

Escaping special characters in hidden fields

I am using a hidden field to pass values to the servlet. I am populating the hidden field from a bean. The hidden field can have any string value. My problem is that the value attribute on my hidden field is double quoted and if there is a double quote in the value of the String from my bean it messes my HTML up. Is there an easy workaround for this?
e.g.
<jsp:useBean id="myObject" scope="request" class="MyObject"/>
<input type="hidden" name="myValue" value="<%=myObject.getValue()%>">
If myObject.getValue() returns a string: 60" Mower this will mess my HTML up.
Any suggestions?

First off, Is the Pattern and Matcher specific to JDK 1.4.1? We are currently using 1.2.2? If this is a viable solution, is there a similar one in JDK 1.2.2?
Also, I still don't think it's possible in HTML to escape characters that are values of attributes. Try running the following HTML code:
<html>
<head>
   <script language="JavaScript">
   function getHiddenValue(){
      alert(document.myForm.hiddenDescription.value);
   </script>
</head>
<body>
   <form name="myForm">
   <p>
      <input type="hidden" name="hiddenDescription" value="60\" Mower">
   </p>
   <p>
      <input type="button" onclick="getHiddenValue()" value="Hidden Field">
   </p>
   </form>
</body>
</html>

Escaping special characters in RAW/BLOB

Hi!
I have a BLOB column that needs to be exported into a CSV Textfile. Sounds a bit scary but works fine when you escape the critical bytes.
I need to do the following replacement:
5C -> 5C 5C ( = \ )
22 -> 5C 22 ( = " )
00 -> 5C 30 ( = ?? )
0A -> 5C 0A ( = LF )
0D -> 5C 0D ( = CR )
If I use the replace function on my raw string, I can replace the bytes representing characters or numbers without a problem. " and \ also works fine but the nonprintable ones don't work - I guess implicit type conversion to varchar is the cause.
Anyway, I want to replace this stuff, but I couldn't find any native binary replace function. How can this be done? Do I have to write my own function? I fear byte by byte manipulation in PL/SQL on large data will not be very performing...
Thanks, Mac

so here's my function, feel free so use
function get_raw_escaped (
pv_data_source raw
return raw
is
lv_data_escaped raw(32767) := null;
lv_length          number;
lv_offset          number;
lv_chunk_bin     raw(100);
lv_chunk_hex     varchar2(100);
begin
     lv_length := utl_raw.length(pv_data_source);
     if lv_length = 0 then return null; end if;
     for lv_offset in 1..lv_length loop
          lv_chunk_bin := utl_raw.substr (pv_data_source, lv_offset, 1);
          lv_chunk_hex := rawtohex(lv_chunk_bin);
          CASE lv_chunk_hex
               WHEN '00' THEN lv_chunk_hex := '5C30';
               WHEN '0A' THEN lv_chunk_hex := '5C0A';
               WHEN '0D' THEN lv_chunk_hex := '5C0D';
               WHEN '22' THEN lv_chunk_hex := '5C22';
               WHEN '5C' THEN lv_chunk_hex := '5C5C';
          ELSE null;
          END CASE;
          lv_chunk_bin := hextoraw(lv_chunk_hex);
          lv_data_escaped := utl_raw.concat(lv_data_escaped, lv_chunk_bin);
     end loop;
     return lv_data_escaped;
end;

Escaping special characters in xml

I have an XML file that has answers to a quiz done in Flash
and AS 1.0. One of the questions has answers in the form of ">
1" "< 1". This particular answer is referring to less than a
year or more than a year. The < doesn't show up at all in the
answers screen, probably because it needs to be escaped. Is that
possible or do I need to spell out the answer. BTW, is in French
which I don't speak so i am opting for keeping the answers as they
are, and work around the problem by escaping, had it been Spanish
or English I would rewrite the answers comfortably. Any suggestions
would be greatly appreciated. Encoding for the XML file is xml
version="1.0" encoding="utf-8"

<
&
>
'
"

Escaping special charechters

Similar Messages

Maybe you are looking for