Script to find report columns with XXS vulnerabilities

Hi,
Report columns with display as "Standard Report Column" are vulnerable to Cross Site Scripting attacks. I have written a simple script to find these report columns and described an easy way to change them all at once. Check: http://wiki.shellprompt.net/bin/view/Apex/XssExamples
Regards Pete

Hi Pete,
good that you bring up that security issue!
I was talking to Joel during ODTUG about the "Standard Report Column" default the wizard uses and he said that this might be changed in the next version to use the more secure "Display as Text (escape special characters, does not save state)"
Patrick
My APEX Blog: http://inside-apex.blogspot.com
The ApexLib Framework: http://apexlib.sourceforge.net
The APEX Builder Plugin: http://sourceforge.net/projects/apexplugin/

Similar Messages

How to find report created with Report Painter?

Hi!
how to find report created with Report Painter?
Here is the information that I have:
Object filename, let's say <b>Y_P01_90000001</b>
Report painter object <b>INV-102</b>
The thing is that Library is unknown, thats why I can not find it via GR22...
Any ideas?
Will reward,
Mindaugas

Check in GRR3 under <b>INV</b> node...

Column link - call java script & assign current report column value to item

Hi,
How to call java script and assing current report column value to item?
I have a button column in the report to 'delete' the selected row.
I want to first show dialog box with message 'Are you sure?'. If yes, process to delete
will be executed, else no action.
In order to fire JS, I used Column Link ->Target=URL.
Problem: The alert is showing but I don't know how to pass selected row's primary
key value to process (to delete selected row).
I have a item which can be used to store selected primary key value but don't know how to assign the value
when button pressed.
Thanks in advance
Dip

Ok. The issue has been resolved by following way.
PAGE PROCESS: delete_request
begin
delete xyz
where id = :P8_id;
commit;
end;BUTTON URL:
javascript: DelRec(null,'CREATE', 'f?p=&APP_ID.:8:&SESSION.:delete_request:NO::P8_id:#id#');Java Script:
<script language="JavaScript1.1" type="text/javascript">
function DelRec(msg, req, url){
var confDel = msg;
if(confDel ==null){
confDel= confirm("Are you sure?");
}else{
confDel= confirm(msg);}
if (confDel== true){
redirect(url); }
</script>

Script to find active users with responsibility

Dear all,
r12.0.4 on solaris 10
I need a script to find out the users with all the responsibilities attached to the user ..can anyone share the query if u have ?
Kai

Kai,
Please see (Note: 8576725 - Tom's Handy SQL for the Oracle Applications), 2.3. Users and Responsibilities.
You can also submit the "Active Users" concurrent program.
There are many scripts available in the forum, you can also use them.
Query Responsibilities
Re: Query Responsibilities
Regards,
Hussein

Error while associating a report column with a LOV

Hi All,
I have a region based on a SQL Report. One of the columns of this report is based upon a LOV. While running the page, i get the following error -
report error:
ORA-20001: Error fetching column value: ORA-06502: PL/SQL: numeric or value error.
I have checked, the report is fetching the correct data.
Also, the LOV base table has data corresponding to the value of the column of the report.
What could be the problem. Please suggest.
Thanks
Monika

Hi Scott,
I'm also facing the same problem as Monika.
I have an LOV with the following query which returns 8774 records, when I copied and pasted those records into a text file it shows as 220KB in size.
SELECT
p.name d,
p.pers_id r
FROM people p,
people_contacts pc
WHERE SYSDATE BETWEEN NVL(start_date,SYSDATE) AND NVL(end_date,SYSDATE)
AND     p.used_by_orc = 'Y'
AND     pc.pers_id = p.pers_id
AND     pc.group_id IN ('ORC','SHARED')
ORDER BY 1
After searching the forum, I think there's a 32K limitation on the fetched rows in tabular forms, can you please let me know how to overcome this problem?
I'm selecting the persid in the (tabular form) SQL query updatable report.
I'm trying to display the field as Name instead of PERSID by changing it to select list(based on named LOV) or whichever way it can work.
Please help me.
Thanks in advance.
- Pradeep

Custom Report: Columns with headings merged

Hello All,
Is there a way to get a custom layout in reports as depicted in the following image -
http://tinypic.com/r/20sbqtx/6
I can generate the simple layout with A, B1, B2 and B3 headings, but I'm not sure how and where to aggregate the B1, B2 and B3 into B.
Thanks

Create a custom report template including an extra row with column spanning in the header section of the template.

Formatting a report column with "%"

I must format a field of a column report with the symbol %
like this
50%
whet i must put in the Number / Date Format of the field ???
Thak's

GcG-Italia wrote:
I must format a field of a column report with the symbol %
like this
50%
whet i must put in the Number / Date Format of the field ???Nothing. Oracle number format models don't support "%".
In a standard report or APEX 4.2 interactive report use an HTML Expression in the column attributes:
#PERCENT_COL#%In an interactive report prior to 4.2 it has to be done in the query as shown above, which adversely impacts sorting, exporting etc as the column value is no longer a number.
Help us to help you. When you have a problem you should provide as much relevant information as possible upfront. This should include:
<li>Full APEX version
<li>Full DB/version/edition/host OS
<li>Web server architecture (EPG, OHS or APEX listener/host OS)
<li>Browser(s) and version(s) used
<li>Theme
<li>Template(s)
<li>Region/item type(s) (making particular distinction as to whether a "report" is a standard report, an interactive report, or in fact an "updateable report" (i.e. a tabular form)
And always post code wrapped in <tt>\...\</tt> tags, as described in the FAQ.

Interactive report column with an external link - Sort, chart functions

interesting.... the message text did not make it into the post (twice). But edit seems to work.
Our problem....
We have an interactive report with a column that in some cases will contain information allowing us to build a link. We have updated the report query to return the data tagged with the <a href..... on rows that can be links. The links are displayed and function correctly. However, if we click on the column header so we do something like sort, the page hangs. If we try to create a report using this column we get an error.
We have also tried marking the column as a link in the IR definition. With that design, the sort and reporting isn't an issue, but all the rows are links, which is not what we need.
Does anyone have any ideas on how to solve this problem?
Thanks, Nann
Edited by: Nann on Feb 6, 2010 11:07 AM

Hi Peter,
Thanks for your suggestion. We ended up with a slight variation in the design that allowed us to mark the column as a link.
Basically we have a column just for the link.
In our query we now have 2 columns. One that builds the url, the other the text we want displayed as a link.
If that row should not have a link in it the query returns null for both columns.
We only display the link column in the report.
We use the url column in the link definition .
We've disabled the sort and other functions on this column.
All works as we wanted.
Thanks
Nann

How to write a javascript function on a report column with type select list

I have a report with a select list column:
HTMLDB_ITEM.SELECT_LIST_FROM_LOV(22, "tablename"."PRIMARY", 'PRIMARY').
The value of primary can be null, yes, no. I want to write a javascript to achieve this: once the user changes one primary value to be yes, others with 'yes' will be changed to 'no' automatically.
Could somebody help me on this.
Thanks.
Jen

Thanks Patrick for your quick reply.
I created a dynamic action with the following steps, but the dynamic action is not taking place.
Event: After Refresh
Selection Type: Region
Region: Report 1 (my report name)
Then in the true action
Action: Execute Javascript SCode
Code: showHighlight();
I even tried to get an alert, but the dynamic action is not done at all. It seems the After refresh dynamic action is not working for a region.

Finding Updated Columns with Values in Rows

Hello,
I have a one requierment as below.
if I have Table ITEM with Below records
ParcelID
ItemCode
CurrentLocation
Destination
UpdatingTime
1010
GLS
ABC
XYZ
01-12-14
1015
PHM
SSS
ZZZ
01-12-14
If any of the column value is updated it will replicate to ITEMUPDATE table with old row and new row as well.
Suppose for ParcelID 1010 CurrentLocation Changed from ABC to CDE it will store in ITEMUPDATE table with both records
old and new and if ParcelID 1015 CurrentLocation Changed from SSS to KKK it will also store as below.
Now ITEMUPDATE table will have all records old as well as new rows as below.
ParcelID
ItemCode
CurrentLocation
Destination
UpdatingTime
1010
GLS
ABC
XYZ
01-12-14
1010
GLS
CDE
XYZ
02-12-14
1015
PHM
SSS
ZZZ
01-12-14
1015
PHM
KKK
ZZZ
01-12-14
Like this any column can update not only CurrentLocation.
Now the requirement is I want to know which columns is updated and what is the new value.
Some what results need to look like below.
ParcelID
Old_CurrentLocation
New_CurrentLocation
1010
ABC
CDE
1015
SSS
KKK
Please Anyone Can help me on this .
Thank You,
Avis

Hello Avis,
You need to store date and time in 'UpdatingTime' column in both ITEM and ITEMUPDATE tables.
If you store only date, you will not get desired results as there may be multiple records for a 'ParcelID' in the same date in ITEMUPDATE table. It is difficult to get the latest record from multiple records with same dates for a 'ParcelID' from ITEMUPDATE.
Alternatively you can create a surrogate key , like 'ItemUpdateID', in ITEMUPDATE from which we can get the latest record for a 'ParcelID'. The surrogate key can be a integer identity column so that automatically incremented and updated for each insert
in ITEMUPDATE. Then it is easy to get latest UpdatingTime for a ParcelID from ITEMUPDATE table.
If the table design and data is something as below:
ITEM table
ParcelID   ItemCode   CurrentLocation   Destination   UpdatingTime
1010   GLS                ABC                     XYZ
2014-01-12
1011       MMX               ABD                     XVB
2014-01-12
1015        PHM                SSS                     ZZZ
2014-01-12
ITEMUPDATE table
ItemUpdateID   ParcelID   ItemCode   CurrentLocation   Destination   UpdatingTime
1                         1010         GLS
ABC             XYZ          2014-01-12
2                   1015         PHM            SSS
ZZZ          2014-01-12
3                         1015         PHM
KKK                ZZZ        2014-02-12
4                         1010         GLS
CDE                      XYZ          2014-02-12
5                         1011         MMX
ABD                YYY           2014-01-12
Here 'ItemUpdateID' is identity column.
The SELECT query can be written as below:
SELECT A.ParcelID, A.ItemCode,
B.CurrentLocation 'New_Location',
ISNULL((SELECT CurrentLocation FROM ItemUpdate WHERE ItemUpdateID = (SELECT MAX(D.ItemUpdateID)
FROM ItemUpdate D WHERE D.ItemUpdateID < B.ItemUpdateID AND D.ParcelID = B.ParcelID)), A.CurrentLocation) 'Old_Location'
FROM Item A
LEFT JOIN ItemUpdate B On B.ParcelID = A.ParcelID
AND B.ItemUpdateID = (SELECT MAX(ItemUpdateID) FROM ItemUpdate C WHERE C.ParcelID = B.ParcelID)
The result will be as follows:
ParcelID   ItemCode   New_Location   Old_Location
1010      GLS              CDE   ABC
1011        MMX             ABD      ABD
1015 PHM       KKK       SSS

How to (un)hide report columns based on checkboxes?

Hello,
I have a simple report that selects 4 columns from a table.
I would like to create 2 check boxes (at the report level, not at the row level) corresponding to 2 of the 4 report columns: When they are checked, the corresponding columns are visible. When they are unchecked, the corresponding columns are NOT visible.
Two questions:
1.
This would require submitting the page automatically upon (un)checking either check box. How do I do that?
2.
I have attempted to use the Conditional Display properties of the report columns with hard coded values, but they don't seem to work whether the Show property of the columns is on or off. Any idea why and how to get around it? (I am using 3.2. Could this be a bug that has been fixed in 4?)
Thanks!
Gabor

Hi,
I can not find post where I have explain how sample works.But here it goes:
You need load jQuery in page template or page HTML header if you are not using Apex 4.
Create new blank page. In my case new page id is 70.
Create HTML region to new page called Columns. Use wizard defaults
Create hidden item Px_REPORT_REGION_NAME. Use wizard defaults.
In my case hidden item name is P70_REPORT_REGION_NAME .
Create computation before header for hidden item. Computation Type "Static Assigment".
In computation write name you like use to your report. My case I did write "Employee report".
Create SQL Report. In region title place your hidden item like
&P70_REPORT_REGION_NAME.In my case I did use query
SELECT *
FROM empCreate check box. In my case it is called P70_SHOW_HIDE.
Use from LOV query
SELECT heading,
display_sequence
FROM APEX_APPLICATION_PAGE_RPT_COLS
WHERE application_id = :APP_ID
AND page_id          = :APP_PAGE_ID
AND column_is_hidden = 'No'
AND region_name        = '&'||'P70_REPORT_REGION_NAME'||'.' -- Change P70_REPORT_REGION_NAME to your hidden item name
ORDER BY 2Place to report region footer
<script type="text/javascript">
function hideCol(pThis){
   var lRepId = '#report_data_#REGION_ID#';
   var lCol   = pThis.value;
   if(pThis.checked){
     $(lRepId + ' td:nth-child(' + lCol + ')').show();
     $(lRepId + ' th:nth-child(' + lCol + ')').show();
   }else{
     $(lRepId + ' th:nth-child(' + lCol + ')').hide();
     $(lRepId + ' td:nth-child(' + lCol + ')').hide();
</script>Edit checkbox item and place to HTML Form Element Attributes
CHECKED onclick="hideCol(this);"Your report template most inner table tag must have id attribute
id="report_data_#REGION_ID#"Then you have result like this
https://apex.oracle.com/pls/otn/f?p=40323:70
Regards,
Jari
Edited by: jarola on Oct 27, 2010 11:13 PM
Note about Apex 4 and jQuery added

How to change the order of report columns

Hi guys,
I am newbie to the Apex 3.2. I am not finding option to resequence the column display. e.g.
My columns shown as Org ID, Create Date, Update Date, Name.
I want to change it to Org ID, Name, Create Date, Update Date.
This in tabular form. Any help would be much appriciated.
Thanks
Sushil

Hello Sushil,
Go to Edit Page XX link at the bottom of the page. In the edit page under the Regions section you will see your tabular form listed. Click on the "Report" link next to your tabular form link. You will see all the report columns with up and down arrow images to the right of the columns. Just click on the images to move the columns as you like and then click on "Apply Changes" button to save the changes. Run your page and you will see the changes.
Thanks,
Machaan
P.S: Please assign correct answer points if this helped you with your problem :)

Passing parameter from interactive report column link to new page

I'm very simply trying to pass the value of the column link to the where clause on the next page.
Interactive Report on P2 has column link fid alias in sql query.
I read somewhere to refer prefix the interactive report column with IR ??
So I have item name P2_FID, value #FID#. Anyway, I've tried a kazillion things.
Created a hidden item with same source value... sigh.
Is there a syntax to refer to a report column link, rather than an item_id in a region where clause?
Is there a simple direct way to do this?
Thanks,
Pamela
-----pls/apex/f?p=163:1:2746459963336955::NO::P2_FID:119

Thank you Varad...
Unfortunately, I am still getting no data found. (and there IS data).
a) Do you mean in the link column section of the report attributes? that is done: item 1 name= IR_P2_FID, value = #FID#
b) Do you mean my changing my hidden page item to ir_p2_fid with its source value as #FID# ? also done.
Do I need this hidden item?, and if not how do I refer to link in the where clause of the called page's sql region?
3) Where Fishery_id = :IR_P2_FID
Where Fishery_id = &IR_P2_FID
Thanks again!
Pamela

Find/Change words (with GREP) and apply a style...

I need a Script for Find/Change words with GREP, and apply a paragraph style...
Thanks...

Hi Marcos,
If you want the script to create character styles: Bold , Italic, Bold Italic, etc, and replace local formatting with these styles, use scripts in post #3.
But if you want find and change words, or/and replace local formatting with styles defined by you, use FindChangeByList script.
If the latter, I recommend you to download and install Record Find Change script (written by Martin Fisher).
Then choose settings you need in Find-Change dialog – make sure they work as expected – and run Record Find Change script. A Notepad/TextEdit file will pop up with a line containing the recorded setting. Copy it, open FindChangeList.txt, delete the contents of this file and paste the line you just copied (or add it to the bottom of the file).
Repeat the process for all find-change operations you need.
Finally run FindChangeByList.jsx to make all changes in one go.
However, while using Record Find Change script, you may encounter a problem: it doesn’t record paragraph and character styles placed inside a group. But you can write references to such styles like so:
appliedParagraphStyle:app.activeDocument.paragraphStyleGroups.item("Style Group 1"). paragraphStyles.item("Paragraph Style 1")
Kasyan

Display the second report as modalform and filter with primary key value of first report when you click on first report column link

Hi All,
I have two reports.
1. order report
2. order detail report
when you click on the order report column it display the order detail report as a modal form.
i was done below steps.
1. In page header i was written the below code
<link rel="stylesheet" href = "http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/
redmond/jquery-ui.css" type="text/css" />
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.js"> </script>
<script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.js"> </script>
<script type="text/javascript">
$( function() {
$('#ModalForm1').dialog(
autoOpen : false ,
width :470,
height: 500,
resize :false,
function openForm1()
$('#ModalForm1').dialog('open');
function closeForm()
$('#ModalForm1 input[type="text"]').val('');
$('#ModalForm1').dialog('close');
</script>
2. order report.
3. order detail report
select * from order_details where order_id = p_order_id;
region header
<div id="ModalForm1" title="Ordered Items" style="display:none">
<p class="msg"></p>
footer
</div>
4. created the hidden item in order detail report.
5. in order report column attributes i was given link like below.
javascript:$s('p_order_id','#order_id#');openForm1();
when i click on the order report column link it passing the row primary key value to hiddent and open the report as modal form. however it is not filter the report with hidden item. it showing the no data found.
problem is hidden item value is not submitting. once we submit that value it showing the 2nd report with filter data.
can any help me to achieve above requirement.
apex: 4.2
oracle 11g
Regards,
Vijay.

Vijay,
Issue 1: Your usage of $s() JavaScript API seems to be wrong. For the first parameter, you need to use the name of the hidden page item and not p_order_id.
javascript:$s('P1_ORDER_ID','#ORDER_ID#');openForm1();
Issue 2: Seems like you are not setting the hidden page item's value in session state. Assuming your hidden page item is called P1_ORDER_ID, Under "Region Definition" tab of your "Order Detail Report" under "Source" tab, for page items to submit, enter the name of the hidden page item P1_ORDER_ID.
Thanks!
JMcG

Script to find report columns with XXS vulnerabilities

Similar Messages

Maybe you are looking for