I have application migrated from apex 4.1.1 to 4.2.1. In application I use column links in IRs for accessing to detail grids. But on several pages I links like
"f?p=100:3074:10459201833350::NO::P3074_PRN,P3074_TITLE:33456782,%26#x0410;дм. Амурской обл. от 16.01.2013"
"f?p=100:3074:10459201833350::NO::P3074_PRN,P3074_TITLE:33456782,Адм. Амурской обл. от 16.01.2013"
And if I set Page Access Protection to Arguments Must have checksum then link is
"f?p=100:3074:12422592578327::NO::P3074_PRN,P3074_TITLE:33456782,%26&cs=3B91A5FB749F488B84C95F9573A59DCFD#x0410;дм. Амурской обл. от 16.01.2013"
Application Primary Language - Russian (ru)
Application Language Derived From - Application Primary Language
In all compatibility modes on several pages I have the same
And after migration I have similar bug in apex builder, for example when I try to copy page with Saved LOV from other application, on page 625 I see "Быстрый доступ" instead of russian name ("Быстрый доступ") of this list. It isn't problem to use names in english, but there was no such behavior in previous versions.
I try to create application on apex.oracle.com to display bug, but there is apex 4.2.2 and this bug doesn't repeat there.
can you please provide a testcase where this problem occurs and and install it on apex.oracle.com? Even if the error does not reproduce on our hosted instance, maybe we can find the cause by having a look at your app.
Yes, I've created testcase:
app: TESTAPP, user/pass TEST/TESTTEST
On apex.oracle.com it works, but on my db I see in first link in IR ("Петров", RN 327): f?p=103:3:12358370902215::NO::P3_RN,P3_TITLE:327,%26#x041F;етров Инокентий
instead of f?p=841:3:2700848672408::NO::P3_RN,P3_TITLE:327,%D0%9F%D0%B5%D1%82%D1%80%D0%BE%D0%B2%20%D0%98%D0%BD%D0%BE%D0%BA%D0%B5%D0%BD%D1%82%D0%B8%D0%B9
the bug appeares after migration from apex 4.0.2/4.1.1. to apex 4.2.1/4.2.2. Upgrade was made by reinstalling apex.
APEX 4.2 introduced escaping of non-ascii characters if the database character set is not UTF-8, to circumvent a certain class of XSS attacks. You can not reproduce the behaviour on apex.oracle.com, because it is set up with AL32UTF8. The switch to control this escaping is in the application security preferences (look for "HTML Escaping Mode"). Apparently, the extended escaping mode triggered a sleeping over-escaping bug in report links. I filed bug #16743663 for this issue.
Thank you for reporting this! We will work on a fix in the next patchset.
And one more thing before question will be answered.
There is no section Browser Security on Edit Security Attributes page in my installation of apex 4.2.2. Maybe it is the result of upgrade?
And in 4.2.1 it is and your advice help me.
I think that's because your application runs in an old compatibility mode. Can you temporarily set the compatibility mode in the application attributes to 4.2? You should be able to see the html escaping attribute then, in the security tab.