Rich text Editor and XSS

We have started to use rich text editors within our application and there is a nice little feature that will escape script tags on insert into the database:
i.e the code:
<script>alert(1);</script>is stored in the database escaped.
This is great as it guards against Cross Site Scripting as the value is treated as text and not evaluated as script when rendered out of the database.
If however you edit your escaped text in source mode within the editor and replace this with the original un-escaped text, the DML procedure to get the values into the database do not escape the values. I was wondering if there is a reason why text is escaped of script tags in a rich text editor but not when the RTE is switched to Source Mode.
If this is a bug, I can raise an SR.
Regards
Duncs

user12601765 wrote:
I need to allow users to create content...I am using APEX 4.1 and am a non-technical user.Sounds like a use case for Websheets.
And update your forum profile with a real handle instead of "user12601765".

Similar Messages

  • I use Juno for my email. How do I turn on the Rich Text Editor and how do I forward messages inline rather than having everything go as an attachment?

    Using Juno I find no way to turn on the Rich Text Editor. How do I turn it on?
    When I forward a message in Juno, everything goes as an attachment. How do I get messages to go inline?

    Another thing to remember is the phone is actually usable for 911 calls and maybe others. Not a real good idea. Especially for a child.
    It would depend however on the age of the child.
    Good Luck

  • Portlet editor's rich text editor gives javascript error 'access denied'

    I created a header portlet using the Publisher's published content portlet template. When I try to edit the portlet content using the rich text editor in the portlet editor window, I get a javascript error in the status bar stating 'access denied'. I can't even type into the rich text editor window, it's totally disabled. Not that I see anything in there anyway. I'm logged in as admin. I've gone into the publisher explorer admin portlet and even 'published' the portlet's content, but to no avail. When I try to 'add header portlet' in my experience definition and try to use this portlet, nothing shows up, where the header portlet should be is just collapsed so my banner is just the top bar view bumped right on top of the nav view. (p.s. does anyone know how to take the alui doc's suggestion of 'disabling the topbar view and nav view' so that I can construct what I want entirely in a header portlet? Anyway, first things first, how do I get that access denied message to disappear in my header portlet's rich text editor and how the heck do I get it show up? Help.

    There's probably not a developer in the forum that doesn't uncheck that box the moment they rebuild their machine/ennvironment. Changing the format of error messaging is hardly a fix for the error itself. Personally, I'm uploading 'file content items' now. I create the content in notepad and then upload > file content item. Then create a portlet that uses the pre-existing (was installed w/ publisher using their pte) 'published content item' web service. Go into the portlet's settings and associate the portlet w/ the content item you uploaded. Voila.
    As far as using their rich text editor to create new content, I personally have no need anymore. However I'm sure our content managers will probably have to soon so I hope our latest installation will accommodate them w/o error, because I've never been aware of an actual fix to this problem.

  • Hiding the rich text editor toolbar

    Hey all,
    I have an ADF page that contains a few rich text editors and it looks a little busy with all the toolbars. What I'd like to do is hide the toolbars when the rich text editor does not have focus. I couldn't find anything in jdev's property inspector that would help. How can this be done, if at all?
    I'm using JDeveloper 11.1.1.7.0.
    Thanks,
    Bill

    The toolboxLayout attribute may be used to remove some of the toolbar  buttons.
    Refer
    &amp;lt;af:richTextEditor&amp;gt;

  • I just loaded the most recent FFox8, and gmail messages no longer load. All I get is an ad, and a blank. If I try to reply, a message says "cannot load rich text editor.

    gmail loads, but when I click on an email, the body is blank, except for a two-line text ad. I can see the source code via the menu selection.
    I tried to "reply" and see if I could read the attached email, but I got a message that said "cannot load the rich text editor"
    How can i get back the previous version of firefox?

    ''GMail entire message content missing (blank) after header title''
    In Firefox, if you have "Adblock Plus" extension.
    # "Ctrl+Shift+F" Preferences (or right click on ADP symbol, and choose preferences)
    # 'Filters' menu > "'''Update all subscriptions'''"
    reference: ''https://support.mozilla.com/questions/896267''

  • Rich Text Editor: Block cut and paste

    I have a text block where users can type in a statement. If I use the standard default Text Area, I can use Javascript to prevent them from pasting in text (actually, I need to block both cut and paste). This is because the statement has to be typed in manually - not copied from a previous statement.
    However, if I use any of the Rich Text Editors, i can't block the paste command (either CTRL-V or the right-click and "Paste"). Is there any way in either of the editors (FCKEditor or CK Editor 3) to block the ability to paste into the form? I would like to give them some of the additional editting features (spell check, etc) but I can't let them paste.
    Please advise.
    Thank you in advance.

    This may be a result of the fonts the Word doc used.
    Pages does not use an algorithm to 'create' an italicised character from the 'base' version. It can show italics only if the font used contains an italic set.
    Paste and match style pastes only the bare text, and uses the font and other attributes already set at the insertion point in the Pages document.
    Regards,
    Barry

  • Rich text editor (apex 4.0)

    using blue gray theme and a page with a rich text editor. Expanding the rich text options displays the text body p below the text area that persists even if you close the rich text options. Anybody know how to get rid of that behavior?

    I think your mixing 2 technologies.
    At 1 side you have xml in combination with xsl (style sheets used in BI Publisher and FOP) to generate your pdf. And at the other side you have HTML...
    XML and HTML are 2 entirely different technologies which you can not mix this simple. I investigated the same problem as you had, and in the end I ended up using jasperreports instead of FOP.
    Maybe BI Publisher has some html regions which you could insert into your word document but I doubt it cause more people have asked the same question on this board...
    So my advice: use jasperreports (also it is free for commercial usage)
    Success
    Br,
    Nico

  • Rich Text Editor Options

    I am working on a project that needs a Rich-Text Editor with
    ability to insert tables, images, and more complex editing features
    such as what FCKEditor provides but ideally that was built with
    Flex in mind. Is there such an editor available? I have seen a few
    options but nothing that really matched the functionality of
    FCKEditor for example.
    Thanks

    Hello,
    I was looking for flex version of the FCK Editor,
    unfortantly, I could not find a fully complete solution, but I
    found the following which might help you:
    1.
    http://flashtexteditor.com/flexdemo/full/
    2.
    http://drumbeatinsight.com/examples/htmlcomponent/editor/HTMLWithRTE.html
    L.L.

  • Using a different Rich Text Editor ?

    Hi,
    I'd like to know if you're using a different Rich Text Editor other than the one provided by Oracle ?
    Are you satisfied with it ? Especially in the management of images ?
    Thanks
    Max.

    there is a textflow component
    http://blog.flexexamples.com/2009/07/25/exporting-a-textflow-object-in-flex-4/
    still exports to font tags unfortunately, but its closer than the richtexteditor. Its basically at the point where you could even write your own small parser and adapt the output to the format you desire.

  • Why can't I cut or paste in my wiki rich text editor

    the browswer does a lovely job of viewing my pbworks classroom page but i cannot type, cut, or paste in PBWorks' rich text editor mode so i can't edit from my phone and i suspect i will find the same problem when we switch to ipads next fall. any help?

    This problem should be at least partly fixed in Firefox 5, which will be released later this month. If you'd like to help us test the fix now, you can download Firefox Beta from the Android Market:
    https://market.android.com/details?id=org.mozilla.firefox_beta

  • Portal Rich Text Editor in Firefox 3.5 Not Working

    I'm using Oracle Portal Version: 10.1.4.0.0 (Build: 594)
    The text item Rich Text editor works fine in IE 6 and has reduced functionality in Firefox 3.0 (scroll doesn't work). I've just updated to Firefox 3.5 and the text editor doesn't work at all now.
    The user is presented with a grey box where all the text controls are squashed into the top left hand corner.
    The following errors appear in the Error Console :
    Error: element.children.tags is not a function
    Source File: http://xyz.example.net:7778/images/webword/WebWordMenuToolbar.js
    Line: 1
    Error: attachEvt is not defined
    Source File: http://xyz.example.net:7778/images/webword/buildUI1.js
    Line: 76
    (I've replaced our server url with http://xyz.example.net)
    Has anyone else noticed this? Has anyone got any suggestions on what I can do to investigate/fix it?
    Thanks,
    Matt
    Update :
    There is a patch available to potentially fix the Rich Text Editor issues in Firefox
    "The Rich Text Editor Does Not Work Correctly In FireFox" - Metalink Doc ID: 456512.1
    or you can replace the RTE completely with a 3rd party editor :
    "How to integrate third party RTE (FCKeditor) with Oracle Portal" - Metalink Doc ID: 352796.1
    Using FCKEditor may well solve the issues but I only use Firefox for development. Our users use IE6 so I don't want to replace the interface unless I have to.
    Edited by: Matt Hawkins on Jul 15, 2009 1:58 PM

    This is a known issue in both Portal 10.1.4.x and Portal 11.x :
    Bug 8708210 (11) NOT ABLE TO RENDER RICH TEXT EDITOR WITH FIREFOX 3.5 BROWSER
    This bug is not published on Metalink.
    There is no solution yet. Consider to use IE Tab (https://addons.mozilla.org/en-US/firefox/addon/1419) for editing file items until this bug is solved.

  • Using rich text editor (RTE) for custom applications

    Our users enter texts on two places:
    1) In Oracle Portal in text-items using the Rich Text Editor.
    2) In text-fields in a custom application using html-tags <textarea>blabla</textarea>. For formatting the users currently have to type in html-tags themselves. Now we want to provide them an html-editor.
    We would prefer to use the Rich Text Editor also for the custom application. However, that is integrated in Portal and the java-scripts are not easy to follow.
    Have you tried something similar? So, did you use the Rich Text Editor for your own application? If yes, how?
    If not, a very good alternative would be the qwebeditor (see http://www.qwebeditor.com). Did anybody replace the standard Portal rich text editor with the qwebeditor? In the Portal guides there are instructions about replacing the Portal rich text editor by another editor, but it is not clear if this will also work with the qwebeditor.
    Thanks for your respons !
    Best regards, Jan Willem Vermeer

    Hi Jan,
    I have configured FCKeditor in a few clients, and the process it's pretty straight forward, you can use the steps in the document (http://www.oracle.com/technology/products/ias/portal/pdf/cm_rte_1014_features.pdf) .
    Basically you download FCKeditor and put it in your apache server (you can put it unde rthe htdocs folder) after that, all you need to do is modify $ORACLE_HOME/portal/images/webword/buildUIHTML.html to reference the FCKeditor JS and CSS, and you can do the same type of reference for your custom apps.
    Regards,
    Juan

  • Need to have a Rich Text Editor

    I require to use a Rich Text Editor where in I can copy both text and attachments (word/excel/pdf) from an email (Outlook or Lotus Notes) and have that stored into an Oracle table.
    The text that is copied must go into a CLOB column in the database whereas the attachments should be stored as a BLOB.
    My preference is copying the complete data (text and attachments) in one go but if that is not possible then copying the text and attachments separately would do.
    Also there is no limit on the number of attachments that might be there.
    Any solution using Java / Oracle would be greatly appreciated.

    Hi,
    We are trying to connect to Lotus Notes mailbox using JavaMail using the IMAP protocol. We are successfully able to ping our mail server but are not able to connect to the mailbox. We tried the default port option for IMAP (143) but were not able to ping the server as well but with port 25 we are able to ping the mail server.
    Please find below the error we are getting on the console -
    Exception in thread "main" javax.mail.MessagingException: 220 SERVERNAME Hello!;
    nested exception is:
         com.sun.mail.iap.ConnectionException: 220 SERVERNAME Hello!
         at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:477)
         at javax.mail.Service.connect(Service.java:275)
         at jmail.javamail.main(javamail.java:51)
    Caused by: com.sun.mail.iap.ConnectionException: 220 SERVERNAME Hello!
         at com.sun.mail.imap.protocol.IMAPProtocol.processGreeting(IMAPProtocol.java:201)
         at com.sun.mail.iap.Protocol.<init>(Protocol.java:91)
         at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:87)
         at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:446)
         ... 2 more
    Please let us know if we need to perform any additional authentication check needed before connecting to the server.
    Any help is appreciated.

  • Max characters in a Rich Text Editor?

    Is there a "hard limit" on the number of characters I can enter into a Rich Text Editor?
    My testing suggests that you can only have 4000 characters. If i submit more than 4000 i.e. 4001, I get the following error message:
    ORA-01461: can bind a LONG value only for insert into a LONG column
    The data type I am trying to insert into is of type CLOB (which if memory serves can store upto 4 GIG).
    We are using Oracle Application Server (Apache and MOD_PLSQL) so I imaging that there is possible a limit here as well with how much data can be posted.
    Thanks for any help.
    Duncs

    Hi Duncs,
    I tried to reproduce your problem on our internal development system but was not able to do so. What did I do?
    1) Created a new table with the following statement
    CREATE TABLE  DEPT_WITH_CLOB
       (     "DEPTNO" NUMBER(2,0),
         "DNAME" VARCHAR2(14),
         "LOC" VARCHAR2(13),
         "MORE_TEXT" CLOB,
          PRIMARY KEY ("DEPTNO") ENABLE
       ) ;2) Created a new application with a "Report and Form" based on the DEPT_WITH_CLOB table.
    3) Modified P2_MORE_TEXT to use Rich Text Editor as item type.
    4) Executed the page and entered a text which was more than 18,000 char long
    5) Clicked apply changes and everything was stored without a problem.
    Can you provide more information about your system?
    1) APEX version
    2) Database Version
    3) Do you use database links in your apps or do other applications use database links?
    4) If yes, which database version are those databases?
    5) If you are able to reproduce the problem on apex.oracle.com that would also be of great help.
    Thanks
    Patrick
    My Blog: http://www.inside-oracle-apex.com
    APEX Plug-Ins: http://apex.oracle.com/plugins
    Twitter: http://www.twitter.com/patrickwolf

  • Print PDF rich text editor using BI Publisher

    Hi !
    I have a CLOB field from database, and I store data using a rich text editor, like a MS Word system, here as you know, I can write words in bold format, use differents kind of colors, etc... and use all formatted text that the editor allow me. I haven't problems once save this data into table and restore again, I can see all this data formatted , and I don't loose any property of this formatted text.
    The problem is when I want print this information in the same way that I can see in the rich text editor. I use BI Publisher for generate a PDF, when I send this field for print a PDF, the PDF that BI publisher generate, print only text, prints all characters including generating that text is formatted, for example, if the field is written in bold print "<b>hello</b>" in the PDF generated by BI Publisher see "< b. > hello < / b>".
    Please which is the way for print the same as is displayed in the rich text editor?
    Thanks in advance.
    Edited by: Almogaver on 07-mar-2011 14:35
    Edited by: Almogaver on 07-mar-2011 14:35
    Edited by: Almogaver on 07-mar-2011 14:36
    Edited by: Almogaver on 07-mar-2011 14:37

    Bump Again. I understand how to remove the HTML tags, thats not a problem. The problem is getting the report to print the data from a Rich Text Field stored in a CLOB or NCLOB as formatted text. Is there a "Master Style Template" or "Master Rich Text Field Subtemplate"?
    Richard

Maybe you are looking for