Skip to Main Content

APEX - How to secure PL/SQL Dynamic Content from XSS?

AllenS.Sep 19 2022

I'm currently building an application where end-user admins have defines templates via Rich Text Editor. When this is saved, it goes to a clob column in html format. This is then viewed as an HTML content via PL/SQL Dynamic Content on the end-user side.
I read somewhere about XSS vulnerabilities but I'm not a security expert so wanted to ask if there are already ways to prevent XSS for this purpose. The Rich Text Editor is set to Intermediate so they don't have the view "Source" option. However, not sure if it's still possible to inject XSS scripting. Also, I am already using the following script to remove any script tag prior to saving it to the database. Not sure if this is enough though.

select regexp_replace('<h1>Hello<Script>alert("XSS");</Script></h1>', '<script>([^><]*)\</script>', null, 1,0, 'i') as N from dual

I also tried using apex_escape.html_whitelist but for some reason, it doesn't whitelist the p tag if using styles.

 select apex_escape.html_whitelist('<h1>Hello<p style="margin-left:40px;">World!</p></h1>') from dual;

We're on APEX 18.2.
Appreciate any feedback.

Post Details
Added on Sep 19 2022