3 Changed Behavior

Some existing behaviour changes in this release.

• Rich Text Editor
  
• Unsupported Format Masks in Date Picker
  
• HTML Sanitization
  
• Shuttle Item Events
  
• Combined JavaScript File Change
  
• Substitutions in HTML Expressions of Interactive Report
  
• App Builder UI Changes
  
• Compatibility Mode
  
• Enabling Network Services in Oracle Database
  You must enable network services in Oracle Database to send outbound mail, use Web services, or use template-based PDF report printing with BI Publisher in Oracle APEX.

3.1 Rich Text Editor

New Rich Text Editor page items are now based on a new thirty party library, TinyMCE. APEX 23.1 ships with the free edition of TinyMCE version 6.3.1.

Existing items based on the CKEditor5 library continue to work. However, these items are deprecated, and will be automatically converted to TinyMCE in a future release.

You can choose which library the Rich Text Editor uses via the new item attribute Library. Note that the two libraries are API-incompatible, and any custom code using CKEditor5 APIs must be re-worked.

3.2 Unsupported Format Masks in Date Picker

Some formatting elements are not supported by the Date Picker. Previously, APEX attempted to render these elements. Now, unsupported format masks cause an error. To resolve the error, modify the format mask.

Unsupported items in the format mask include SSSSS, SYEAR, SYYYY, IYYY, YEAR, IYY, SCC, TZD, TZH, TZM, TZR, AD, BC, CC, EE, FF, FX, IW, IY, RM, TS, WW, E, I, J, Q, W, and X.

3.3 HTML Sanitization

Before APEX 23.1, the following components output HTML without any sanitization for Cross-Site Scripting (XSS):

• Display Only Page Item (Format HTML)
• Interactive Grid - Display Only Column (Format HTML)
• Classic Report - Rich Text Column (Format HTML)
• Interactive Report - Rich Text Column (Format HTML)

It was the developer's responsibility to ensure the contents were safe. This was not a trivial task.

As of APEX 23.1, these components sanitize the HTML content on the client before displaying it. This simplifies display of user-provided HTML, including the content of an HTML-based Rich Text Editor.

Consciously displaying "unsafe" HTML, such as script tags or javascript: expressions, onclick attributes, etc., is no longer possible as this content is stripped away. While display of this content is not recommended, you can choose to display it with the following methods:

• for Display Only Page Items in HTML format, use a Static Content Region
• for Display Only Interactive Grid Columns in HTML format, use an HTML Expression Column
• for Classic Report Rich Text Columns in HTML format, use a Plain Text Column with Escape special characters disabled
• for Interactive Report Rich Text Columns in HTML format, use a Plain Text Column with Escape special characters disabled

3.4 Shuttle Item Events

Shuttle Item now triggers the change event when the selected items are reordered. When a Shuttle item value can be reordered, the value's order is important. A change to the order is a change to the value, which justifies the change event.

If you previously used both change and shuttlechangeorder Dynamic Actions or event handlers, only the change handler is needed now. If you need to distinguish the two cases, the change event happens after the shuttlechangeorder event.

3.5 Combined JavaScript File Change

The combined JavaScript file interactiveGrid.min.js is replaced with modelViewBase.min.js, which contains a subset of the files in the former combined file. This is unlikely to affect existing apps unless custom code on your page implicitly depends on a module that was included in interactiveGrid.min.js and is not otherwise loaded on the page now. To avoid issues with custom code, always specify the individual files your code depends on.

3.6 Substitutions in HTML Expressions of Interactive Report

Interactive Reports now use HTML escaping as the default escape mode for item substitutions in HTML expressions.

If it is safe to output the referenced item value, developers can replicate the previous behavior of an unescaped value by using the RAW escape mode (&ITEM!RAW.).

3.7 App Builder UI Changes

User interface changes in this release include:

• Quickly create copies of pages from the current application or other applications directly from the Create Page Wizard with the new Create Page as Copy button.
• The Page Designer "Pick Table" dialog no longer shows table comments from the Data Dictionary.
• When creating new plug-ins, the default type is now Template Component rather than Item.
• Global template options and template option groups now display in an interactive grid to make editing easier.
• All internal applications (4000-4999), including App Builder and SQL Workshop, now use Friendly URLs. This paves the way for future enabling of PWA in Builder.

3.8 Compatibility Mode

The application attribute Compatibility Mode controls the compatibility mode of the APEX runtime engine. Certain runtime behaviors change from release to release. You can use the Compatibility Mode attribute to obtain specific application behavior. This section lists Compatibility Mode changes by release. Note that all mode changes are inclusive in that all changes in older releases are included in newer releases.

Compatibility Mode Changes in Mode 4.1

In Oracle Application Express release 4.1, Automatic DML forms raised an error when rendering the page if the column name of the source of an item was invalid. Prior to Oracle Application Express release 4.1, an invalid column name of the source of an item would not raise an error when rendering the page but it would also not set session state of the item.

Also, in Oracle Application Express release 4.1, there are two new application Security Attributes to control Browser Security: Cache and Embed in Frames. Enabling the Cache attribute enables the browser to save the contents of your application's pages in its cache, both in memory and on disk. The Embed in Frames attribute controls if the browser displays your application's pages within a frame. Applications running in a Pre-4.1 Compatibility Mode function as if the Cache is enabled and as if Embed in Frames is set to allowed. Applications running in Compatibility Mode 4.1 or later respect the specific Browser Security attributes.

Also, in Oracle Application Express release 4.1, because of bug 12990445, the following changes were implemented for Automatic Row Processing (DML) process types. The code which performs the INSERT was changed to determine if the columns should be included in the INSERT statement. Note that these are the same checks which occur before an UPDATE. These new checks include:

• Is the source type a DB Column?
• Is the page item contained in the POST request? For example, if the page item is conditional it will not be contained in the POST request if the condition evaluates to FALSE during page rendering.
• Is the page item not of type Display Only where Save State is set to No?

To enable these behaviors, set the Compatibility Mode to 4.1 or later. For behavior that matches earlier releases, set the Compatibility Mode to Pre-4.1.

Compatibility Mode Changes in Mode 4.2

In Oracle Application Express release 4.2 due to changes for the new grid layout, when a page is rendered, all regions in a certain display point are evaluated before rendering that display point, to find out if they should be displayed or not (so that the grid layout knows how many columns to render). The regions where the evaluation returned true will be executed and displayed. However, this will not work if a PL/SQL based region sets session state which is then used in a subsequent region condition to determine if the region should be displayed. In that scenario, the condition has already been checked before the display point is rendered. Use computations or PL/SQL processes to set session state before any region is displayed. In previous versions, the condition was evaluated right before each region was displayed.

In Oracle Application Express release 4.2, computations and processes with a processing point Before Region(s) do now fire before any region gets rendered. Computations and processes with a processing point After Region(s) fire after all regions have been rendered. In previous versions, the computations and processes fired just before and after the region display point Page Template Body (1-3).

Oracle Application Express Patch Set 4.2.2 added two new Compatibility Mode changes for Compatibility Mode 4.2:

• Text areas were changed to always use the Maximum Width attribute to restrict text input.
• Enhanced security for report column links, where the link contains both JavaScript and references to other report column substitutions, for example:

  javascript:alert( 'Delete #NAME#' );

  In the previous example, NAME is a column name in the report.

Prior to Oracle Application Express release 4.2.1, to protect against possible cross-site scripting vulnerabilities, you would have had to explicitly escape any column values in the report source, so that they could safely be used in JavaScript links. When running in Compatibility Mode 4.2, Oracle Application Express automatically JavaScript escapes column name substitutions referenced in JavaScript links if the column is defined to escape special characters.

To fix this, Oracle recommends that you remove the manual JavaScript escaping from your report source and use of the native escaping.

Compatibility Mode Changes in Mode 5.0

In Oracle Application Express release 5.0, referencing a Static Application File with #WORKSPACE_IMAGES# no longer returns the application file. Instead, use #APP_IMAGES#.

The API calls to wwv_flow_custom_auth_std.logout, wwv_flow_custom_auth_std.logout_then_go_to_page, wwv_flow_custom_auth_std.logout_then_go_to_url, and apex_custom_auth.logout are desupported and will raise a runtime error instead of logging out from the Oracle Application Express session. Instead, use the apex_authentication.logout entry point.

Prior to release 5.0, developers using data upload did not have the option to choose a date format. Instead, a parser checked for the best format to match the user's entry or an end user could enter their own format. Oracle Application Express release 5.0 includes a new item that enables the user to choose an application date format or user entered format. Because applications created before release 5.0 do not have an item, a Compatibility Mode of 5.0 checks if the user has entered some data. If no data has been entered, it picks the application date format.

When a session timeout occurs and no timeout URL is specified, Oracle Application Express raises an error instead of redirecting to the application's home page. If the session setup for an Ajax requests fails, Oracle Application Express also raises an error. For Ajax requests that expect JSON, the response is a JSON string with members that describe the error. For other requests, the error appears on an error page.

Page items based on a database column where the attribute Source Used is set to Only when current value in session state is null will raise an error when the page item gets rendered. Using this setting for a database column is very dangerous and can result in accidentally overwriting data when viewing and saving multiple records. Always set the Source Used attribute to Always, replacing any existing value in session state.

Compatibility Mode Changes in Mode 5.1 / 18.1 / 18.2

In Oracle Application Express 18.1, buttons where the Execute Validations attribute is set to Yes also perform some client-side validations (such as item required checks) and will not submit the page until all issues are fixed. In previous versions this flag was just used to determine if server-side validations should be executed.

Tip:

Please pay attention when changing the Compatibility Mode to 5.1/18.1/18.2. Buttons, such as Cancel or Previous, where the Execute Validation flag has incorrectly been set to Yes and which use an After Submit branch, never execute validations when the user clicks the button. You can address this issue by using the new client-side validations, or by setting Execute Validations to No.

In release 5.1, any Ajax-based Dynamic Actions where the "Wait for Result" attribute is set to Yes perform an asynchronous Ajax call. Prior to 5.1, such calls would be made synchronously.

Compatibility Mode Changes in Mode 19.1

In Oracle Application Express 19.1, the Rich Text editor now enforces validation of the Max Length item attribute. When the length of the HTML markup exceeds the Max Length value, the system produces an error message.

Compatibility Mode Changes in Mode 19.2 / 20.1 / 20.2 / 21.1

In Oracle Application Express 19.2, Classic Reports render empty column values as an empty cell instead of using a "non-breaking white-space" ( ).

Compatibility Mode Changes in Mode 21.2 / 22.1 / 22.2 / 23.1

Prior to Oracle Application Express 21.2, all processes of the current processing point have been executed regardless of the added errors.

In Oracle Application Express 21.2, calling APEX_ERROR.ADD_ERROR in a process stops further processes from executing and immediately displays the inline errors.

3.9 Enabling Network Services in Oracle Database

You must enable network services in Oracle Database to send outbound mail, use Web services, or use template-based PDF report printing with BI Publisher in Oracle APEX.

Note:

The following does not apply to APEX instances running on Oracle Autonomous Database. APEX can communicate with external endpoints over the internet without additional configuration.

• When and Why Network Services Must be Enabled
  Enabling network services enables support for sending outbound mail in Oracle APEX, using REST Services, REST Enabled SQL, or other web services, and using a remote server for report printing.
• Granting Connect Privileges
  
• Troubleshooting an Invalid ACL Error
  Learn how to identify any invalid ACL error by running the query.

3.9.1 When and Why Network Services Must be Enabled

Enabling network services enables support for sending outbound mail in Oracle APEX, using REST Services, REST Enabled SQL, or other web services, and using a remote server for report printing.

By default, the ability to interact with network services is disabled in Oracle Database. Therefore, you must use the DBMS_NETWORK_ACL_ADMIN package to grant network connect privileges to the APEX_230100 database user. Failing to grant these privileges results in issues with:

• Sending outbound mail in Oracle APEX.

  Users can call methods from the APEX_MAIL package, but issues arise when sending outbound email.

• Consuming REST services and other web services from APEX.
• Making outbound LDAP calls from APEX.
• Using a remote print server for report printing.

Note:

When upgrading APEX, the upgrade automatically configures Network Services based on the configuration of the previous APEX version.

Tip:

To run the examples described in this section, the compatible initialization parameter of the database must be set to at least 11.1.0.0.0. By default, the parameter is set properly, but a database upgraded from a version prior to 11g may require an update. For information about changing database initialization parameters, see Specifying the Database Compatibility Level in Oracle Multitenant Administrator's Guide.

See Also:

About Report Printing in Oracle APEX App Builder User’s Guide.

3.9.2 Granting Connect Privileges

The following example demonstrates how to grant connect privileges to any host for the APEX_230100 database user. This example assumes you connected to the database where Oracle APEX is installed as SYS specifying the SYSDBA role.

BEGIN
    DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
        host => '*',
        ace => xs$ace_type(privilege_list => xs$name_list('connect'),
                           principal_name => 'APEX_230100',
                           principal_type => xs_acl.ptype_db));
END;
/

The following example demonstrates how to provide less privileged access to local network resources. This example enables access to servers on the local host only, such as email and report servers.

BEGIN
    DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
        host => 'localhost',
        ace => xs$ace_type(privilege_list => xs$name_list('connect'),
                           principal_name => 'APEX_230100',
                           principal_type => xs_acl.ptype_db));
END;
/

3.9.3 Troubleshooting an Invalid ACL Error

Learn how to identify any invalid ACL error by running the query.

If you receive an ORA-44416: Invalid ACL error after running the previous script, use the following query to identify the invalid ACL:

REM Show the dangling references to dropped users in the ACL that is assigned
REM to '*'.

SELECT ACL, PRINCIPAL
  FROM DBA_NETWORK_ACLS NACL, XDS_ACE ACE
 WHERE HOST = '*' AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL AND
       NACL.ACLID = ACE.ACLID AND
       NOT EXISTS (SELECT NULL FROM ALL_USERS WHERE USERNAME = PRINCIPAL);

Next, run the following code to fix the ACL:

DECLARE
  ACL_ID   RAW(16);
  CNT      NUMBER;
BEGIN
  -- Look for the object ID of the ACL currently assigned to '*'
  SELECT ACLID INTO ACL_ID FROM DBA_NETWORK_ACLS
   WHERE HOST = '*' AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL;

  -- If just some users referenced in the ACL are invalid, remove just those
  -- users in the ACL. Otherwise, drop the ACL completely.
  SELECT COUNT(PRINCIPAL) INTO CNT FROM XDS_ACE
   WHERE ACLID = ACL_ID AND
         EXISTS (SELECT NULL FROM ALL_USERS WHERE USERNAME = PRINCIPAL);

  IF (CNT > 0) THEN

    FOR R IN (SELECT PRINCIPAL FROM XDS_ACE
               WHERE ACLID = ACL_ID AND
                     NOT EXISTS (SELECT NULL FROM ALL_USERS
                                  WHERE USERNAME = PRINCIPAL)) LOOP
      UPDATE XDB.XDB$ACL
         SET OBJECT_VALUE =
               DELETEXML(OBJECT_VALUE,
                         '/ACL/ACE[PRINCIPAL="'||R.PRINCIPAL||'"]')
       WHERE OBJECT_ID = ACL_ID;
    END LOOP;

  ELSE
    DELETE FROM XDB.XDB$ACL WHERE OBJECT_ID = ACL_ID;
  END IF;

END;
/

REM commit the changes.

COMMIT;

Once the ACL has been fixed, you must run the first script in this section to apply the ACL to the APEX_230100 user.