search

aghili65 / OracleAPEXJsonViewer

Oracle APEX Json Viewer
1 stars 0 forks source link

Javascript-Error for multiline JSONs and code-injection #2

Open simonuwe opened 9 months ago

simonuwe commented 9 months ago

When the JSON is already formatted and a multilien string no data is show. Browser-console show error

json-schema?p4_objec…xxHkXV6RgHeEDsg:140 Uncaught SyntaxError: Invalid or unexpected token (at json-schema?p4_objec…kXV6RgHeEDsg:140:83)  In the Javascript-code is a Newline after the ' 

(function(){$("#P4_OBJECT_SCHEMA_LABEL").remove();$("#P4_OBJECT_SCHEMA").jsonview('
{
  "type": "object",
  "required": ["lastname", "email"],
  "properties": {
  ....

This is cause by statement in source line 23 v_html:=v_html || '$("#' || p_item.name || '").jsonview(''' || p_param.value || ''');'; When it is replaced by v_html:=v_html || '$("#' || p_item.name || '").jsonview(' || p_param.value || ');'; not a quote but a backquote for multiline string constants. Then JSONs will work too.

By the way: Your JSON-Viewer has an issue with code-injection. When you have a JSON-attribute with the content

" }); console.log('INJECTION'); })();//`

you will see

INJECTION

in the Browser-console. You must quote the JSON when creating the the Javascript-command

simonuwe commented 8 months ago

Best seems to be using apex_escape.js_literal(p_item.name);