It is always sad to find security problems in other peoples hard work, but we should all be aware of the risks in using a particular plugin so that it can be used efficiently and securely.
We were asked about the usage of this plugin recently: HTML Markup for APEX Tree so we decided to take a look.
This plugin enables HTML Markup within an APEX Tree Region which normally escapes all HTML Special characters. The idea is to use replacement characters for "<", ">" and "&" in the Tree SQL query and to configure these in the plugin. The plugin fires as a dynamic action after page load and uses some jQuery logic to activate the HTML markup by changing the replacement characters back to HTML syntax.
This appears to be very dangerous and indeed it is, by subverting the built-in protections of Apex this plugin significantly reduces the security of the APEX tree region. The example code contains the following.
casewhen sal < 2500 then '[b style="color: green"]'||"ENAME"||'[/b] [img src="/i/Fndokay1.gif" height="12"]'when sal < 4500 then '[b style="color: black"]'||"ENAME"||'[/b]'else '[b style="color: red"]'||"ENAME"||'[/b]'end as title,
Will result in the proof that code is being executed in the browser. If you absolutely must use this plugin then the data appearing in the tree must not be modifiable by any client side requests.
ApexSec 2.2 has been updated with the check for this plugin.