This vulnerability is with the second parameter of the modal window call (in this case the #ENAME# template variable). Modal dialogs are a common feature within any application and they allow you to give the dialog a dynamic title to enhance the User Experience (UX).
We have added a second parameter called 'title' to our mymodal function. The title is no longer being defined literally as “Some title” and is now defined by the parameter variable 'title'.
Now navigate to the URL field in the link column section of the report attributes and use the template variable #ENAME# to pass the value from the ENAME column into the title parameter of the 'mymodal' function..
Whenever an edit link is clicked, the title of the modal window is set to the value of the “ENAME” column for that row in the report.
If you are using a version of APEX less than 4.2.2, your first course of action should be to ensure that the URL field for your link column is not passing a potentially malicious title to the modal window function. Our method of doing this is to create a new column in the query for your report with the following PL/SQL:
In our next post we will discuss a known bug in the JQuery version that is shipped with APEX 4.2.2, as it causes another cross site scripting vulnerability in this example application that also must be fixed in order to fully erradicate the threat of XSS.
Click here to download the application used in this example.