21 of 31
Outcome Differences
uDependent upon whether output validation is
performed
ØIf field is bound using Oracle’s ADF binding framework,
value will be escaped.
§Invalid characters such as < and > will be changed
to < and > respectively
in the response
§Data gets rendered as text to be displayed by the
browser instead of interpreted
as code to be executed.
ØSame value rendered through another tag that did not
perform output validation
(<% out.println(problem);%>)
§Script tag could be interpreted as code and
executed.
uEven when using Oracle ADF, need to be wary of tag attribute “escape” when set to “False”
ØTurns off output escaping
ØAllows stored code to be added to a page.
ØAttribute should only be enabled for data from a trusted
source, or data that has been
previously scrubbed.