I'm doing some testing of APEX 4.2 and the impact it will have on our applications internally within my company and was originally stumped when getting an error like this when a failed login attempt was made:
<font color="red" size="4">Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags</font>
No APEX screen, just that lovely message on a white screen in Red. After doing some digging I determined that was actually from our SiteMinder agent policy which rejects certain special characters to prevent tampering. The SiteMinder log shows the following:
[CSmHttpPlugin.cpp:525][ERROR] URL contains BadCssChars.
Exiting with HTTP 500 server error '00-0002'.
I decided to translate the encoded URL and see what the problem was and found this in there:
Invalid Login Credentials<div id="apex_login_throttle_div">Please wait
<span id="apex_login_throttle_sec">10</span> seconds to login again.</div>
REALLY?! tags in the URL like this???
I tried doing some searching to find out if anyone was experiencing this problem with 4.2 but wasn't able to find anything explicitly... I did, however, find a solution after reading this message: {message:id=10655557} I determined the functionality could be turned off and thankfully so... I couldn't imagine the red tape I would have to go through to get the policy updated to allow such things to pass through the URL. I'm kind of amazed Oracle chose this implementation for the new login page throttling due to having html/css tags directly in the URL! I really hope I don't encounter any other surprises like this embedded in the new version. :(
In any event, I just wanted to post something in case someone like me runs into this and is stuck like I was. I really hope Oracle finds a better way to do things like this in the future.