| (-) Plug-Ins||Add plug-in support for additional components and enhance plug-in definitions.|
|... Add 'Escape special characters' flag to region attributes||EA1||The new checkbox 'Has "Escape Special Characters" Attribute' has been added in the "Standard Attributes" section of a region type plug-ins to allow to control if a region of that plug-in has the "Escape special characters" field in the Security section when the region is edited.
The value selected for a region is stored in the p_region.escape_output variable when a plug-in is called. It can be used by a plug-in developer to determine if the values read by the plug-in (for example from a SQL statement) should be escaped before displaying them on the page or not. This can be used to give developers using the plug-in the possibility to prevent Cross-Site Scripting (XSS) attacks.
Note: The "Escape Special Characters" attribute is a generic attribute and doesn't provide security out of the box by itself. It's up to the plug-in developer to use that setting to determine if the output should be escaped or not.|
|... Add 'Substitute Attribute Values' flag to plug-in configuration||EA1||Custom Plug-in Attribute Values specified by the developer might contain items referenced with substitution syntax, for example &P1_DNAME.
If Substitute Attribute Values is set to 'Yes' Application Express will automatically replace those references with their actual value before calling the plug-in.
If Substitute Attribute Values is set to 'No' the values are written unchanged into the attribute_01 - attribute_15 record type attributes of p_plugin, p_item, p_region, ... and the plug-in developer is responsible for replacing those substitution syntax references with a call to apex_plugin_util.replace_substitutions or do similar replacements.
A use case for 'No' would be if the custom plug-in attribute is used in a template and the substitution syntax is used to reference page items and columns of the SQL statement executed by the plug-in. Because the column values of the SQL statement are not available at the time when the plug-in is called, the replacement has to be done by the plug-in itself.|
|... Add plug-in support for Authorization schemes||EA1||Authorizations have been re-implemented using the APEX plug-in architecture.
Developers can now create plug-ins of type "Authorization Scheme Type", e.g. for database role or LDAP based authorization.
Authorizations can be implemented more declaratively, based on these new plug-ins and their attributes are based on built-in authorization types.
When creating a new authorization, different authorization attributes are shown, depending on the selected scheme type.|
|... Attribute Usability Enhancements||EA1||The following enhancements are designed to increase the usability of plug-ins:
1) Textarea for the plug-in attribute types PL/SQL Code, PL/SQL Expression, PL/SQL Function Body, SQL Query and Textarea is now resizable.
2) Attribute types "Page Number", "Page Item" and "Page Items" now do have List of Value support|
|... Increase number of custom attributes to 15||EA1||The number of custom attributes which can be defined for a plug-in has been increased to 15.|
|... New attribute type "Checkboxes"||EA1||New plug-in attribute type "Checkboxes" which allows the user to check multiple checkboxes based on the defined list of values. This new attribute type allows a developer to enable certain features of a plug-in by using just one custom plug-in attribute.|