Oracle APEX cards region does not escaping characters

Question

I am using the new Cards region of APEX 20.2 the problem I am facing is that I cannot escape characters on this region. For example I want to create a card region that each card will have multiple thumbnails based on the following select

Select '123' card_ID, '<img src="photo1.jpg" height="50"> <img src="photo2.jpg" height="50">' Photos from dual

I have not found a way to escape the characters and show the images. It shows the text "<img src="photo1.jpg" height="50"> <img src="photo2.jpg" height="50">

I have tried the advanced formating also.

Any ideas?

score 5 · Answer 1 · answered Mar 17 '21 at 11:54

To render the HTML markup, you can simply enable Advanced Formatting and add the following as an HTML Expression:

&PHOTO!RAW.

Cards by default escapes the column value. However, if you define column substitution with escape modifier RAW, the column value will not be escaped and the HTML will be rendered. Be mindful of any use of an item which has its raw value rendered, as this is an attack vector for cross-site scripting (or in your case, second-order cross-site scripting).

Julius Simon · Answer 2 · 2021-03-16T18:46:53.627

0

All of the columns are escaped and there's no option to not escape on the server side.

You can assign a class to the specific field on the card you'd like to escape.

Create an onload execute JavaScript dynamic action

$('.my-class').each(function(){
    return $(this).html($(this).text())
})

However this will only work on page load and not for dynamic actions that refresh your card region.

edited Mar 16 '21 at 18:46

answered Mar 16 '21 at 18:37

Julius Simon

46
4

Oracle APEX cards region does not escaping characters

2 Answers2