APEX 24.x
We are making increasing use of the APEX actions interface, using data-action or href attributes to bind UI elements to action behaviour as described in the documentation:
Binding a UI element to an action uses the custom attribute data-action or for links (<a> elements) the href attribute. The value of this attribute specifies the binding. In the simple case it is just the name of an action. The full syntax of the binding value is:
[context-id]action-name?arguments
- context-id is the static id of a region that has defined an actions context or the element id of the element specified in a call to apex.actions.createContext. To explicitly reference the global context use
[global]. This part of the binding including the square brackets is optional. The square brackets must be included in the syntax when there is a context-id.
- action-name is the name of an action in the global context or if context-id is given, in that context.
- arguments is a list of arg-name=arg-value pairs separated by &. This part of the binding including the leading ? is optional.
Which escape filter should be applied to arg-value substitutions that pass text strings in these action bindings? Confusion arises because the data is rendered in an HTML attribute (!ATTR filter) but consumed by a JavaScript action function (!JS filter).
For example, consider a report row where the column TERM contains Foo and DEFN is The first syllable of the misquoted sacred chant phrase 'foo mane padme hum.' — note the presence of single quotes in the definition string.
Is the column HTML Expression:
<a href="#action$acme-define?term=#TERM!ATTR#&defn=#DEFN!ATTR#>#TERM!STRIPHTML#</a>
or
<a href="#action$acme-define?term=#TERM!JS#&defn=#DEFN!JS#>#TERM!STRIPHTML#</a>
or does some more complex combination of apex_escape functions need to be applied in the region source query?