Can SQL or Java that removes my html mark-up?

Hi,
We have a 3rd party web application that is developed in Java and data is stored in Oracle.  We have a need to have a live link for a data.  For one of the field on a web page, it displays like a form and can click Edit to edit the content.  One of the field, We would like for it to be a link so when users click on it would open a new tab or navigate to that link url.  

I enter the marked up, <a onclick="window.open('http://www.msn.com', '_blank');">HS-158-00888</a>, submit it.  It then display it as the text I enter and not as linked text in a browser.  Is there a built-in function in Sql that would automatically change any tag to letters like what I have from the Page Source in browser?  Or is this something that the Java application does in its code if SQL doesn't have this function?
<td colspan="7">&lt;a onclick=&quot;window.open(&#39;http://www.msn.com';, &#39;_blank&#39;);&quot;&gt;ClickMe&lt;/a&gt;</td>

Thank you.
lapuccaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

slightwv (䄆 Netminder) Commented:
How are you extracting the data from Oracle?

There are functions that will decode the values but depending on how you get the information to the web page, it may not work.

Check out dbms_xmlgen.convert:

set define off
select dbms_xmlgen.convert('hello &lt; World',1) from dual;
set define on
0
lapuccaAuthor Commented:
Hi,
This is a 3rd party web application implemented with Java and Oracle.  I just want to learn what are the capability of Oracle/sql before shooting the question to the vendor.

Is this how Oracle stores the value, translating from "<" to "&lt;"  Is this to prevent injection of javascript and is this a common practice with sql or is it usually done by programming code?

Thank you.
0
slightwv (䄆 Netminder) Commented:
Oracle does no encoding unless it is told to.  It stores what it is given.

Given all your previous questions about Web Services, my guess is the form where you enter the data is doing the encoding so the information can be passed via a SOAP call.

You need to do the reverse when getting the data back for display to get the data decoded.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lapuccaAuthor Commented:
You're correct that my previous web services questions are from this exact same 3rd party product.  I guess they could be calling their own api in their application.

I thought it would be more likely to be decoded in Oracle to prevent sql injection since "<" could indicate javascripting.  

So how would a programming usually decode this?  Write or call a function to decode every data retrieved?   Just a learning process for me now thank you.
0
slightwv (䄆 Netminder) Commented:
How you decode depends on how/where you need the information decoded.

You can easily write a sqlplus query that extracts and decodes the individual fields but if you need to pass it back through a web service, this likely will not no you any good.

It all depends on how the application works.

I would look at decoding it at display time.

>>Oracle to prevent sql injection since

Yes, SQL injection is a concern in all databases/applications.  As is Cross-Site Scripting.

However, databases store what you give them.  Apps allow what they are coded to allow.

I don't know any coding or database products that attempt to protect the developers/DBAs from themselves...

Well, IIS does a little for 'potentially dangerous script' issues...  but you get what I'm saying...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lapuccaAuthor Commented:
That makes sense, thank you.  I will now contact the vendor about the potential issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.