9 Replies Latest reply on May 16, 2018 4:19 PM by Sven W.

    APEX 5.1

    cgrav

      I have a display only field on my page that perform an output based on PL/SQL code. The output in in a htp.p format. In the htp.p it is using a item from the page or another page to display. The problem is if the item has a single quote (ex: Mary's), then the page will return an error.

       

      Has anyone seen this before? Does anyone know a solution to this issue?

        • 1. Re: APEX 5.1
          Alli Pierre Yotti

          can you show your code?

           

          you can write single quote links so

           

          'D''COSTA'

           

          htp.p('D''COSTA');

          • 2. Re: APEX 5.1
            Scott Wesley

            or you can use quote notation, which is handy for bigger strings

            htp.p(q'[Mary's]')
            

             

            Grassroots Oracle: Quoting inside literal strings

            • 3. Re: APEX 5.1
              Billy~Verreynne

              Why use HTP.prn()?

               

              Some of ugliest and nastiest hacks I've seen in APEX were done using custom HTP calls in a dynamic PL/SQL region.

               

              Why not use a classic, interactive, or grid, report region? Why not use page items (values to render can be read easily from the database)? What is the justification to step totally outside of APEX rendering and CSS and theme actions and rules, and manually inject HTML elements into the DOM?

              • 4. Re: APEX 5.1
                fac586

                cgrav wrote:

                 

                I have a display only field on my page that perform an output based on PL/SQL code. The output in in a htp.p format. In the htp.p it is using a item from the page or another page to display. The problem is if the item has a single quote (ex: Mary's), then the page will return an error.

                 

                Has anyone seen this before? Does anyone know a solution to this issue?

                That will only be a problem if the code is using lexical substitution by referencing the item using static substitution string notation (&ITEM.). SQL and PL/SQL code in APEX should always use bind variable notation (:ITEM) to reference session state values. This will improve performance by reducing hard parsing and protect against SQL injection attack. Additionally item content should be HTML-escaped to eliminate XSS vulnerabilities. Use

                 

                htp.p(apex_escape.html(:item));
                

                 

                not

                 

                htp.p(&ITEM.);
                
                • 5. Re: APEX 5.1
                  fac586

                  Billy~Verreynne wrote:

                   

                  Why use HTP.prn()?

                   

                  Some of ugliest and nastiest hacks I've seen in APEX were done using custom HTP calls in a dynamic PL/SQL region.

                   

                  Why not use a classic, interactive, or grid, report region? Why not use page items (values to render can be read easily from the database)? What is the justification to step totally outside of APEX rendering and CSS and theme actions and rules, and manually inject HTML elements into the DOM?

                  It's not stepping outside of APEX rendering. Output of PL/SQL Code is the built-in APEX rendering method for generating a custom HTML representation of a Display Only page item whilst preserving the original value in session state: How to add link on item

                  • 6. Re: APEX 5.1
                    Billy~Verreynne

                    Was referring to outside as in outside of the CSS classes and styles of the theme.

                     

                    Manually throwing a HTML table element for example into the HTML output of the APEX flow engine is not a great idea in my view.

                    • 7. Re: APEX 5.1
                      cgrav

                      fac586,

                       

                      Thank you for the response. This seems to have resolved my issue. I appreciate you giving an explanation as well. I will close this thread after a little further testing.

                      • 8. Re: APEX 5.1
                        cgrav

                        Thank you everyone for the quick replies. I appreciate all the help and guidance.

                        • 9. Re: APEX 5.1
                          Sven W.

                          It sounds really really strange what you are trying to do.

                          Since the data is in another item, I do not see how possibly the value of this item could end up in your code.

                          Can you describe what problem you are trying to adress with this technical solution?

                          Maybe a html_expression would be an alternative?