Archives

Categories

Post

Aprendiz Academy > Blog Aprendiz Academy > Uncategorized > Are you using it correctly? The hidden power of !RAW in Oracle APEX
July 11, 2025

Are you using it correctly? The hidden power of !RAW in Oracle APEX

Tiempo de lectura: 2 minutos

Introduction

Have you ever seen HTML appear as plain text in Oracle APEX? Have you noticed that substitution values lose symbols, quotes, or get automatically escaped?

Oracle APEX includes a powerful way to preserve original values without automatic escaping or modification: using !RAW.

This notation ensures values remain exactly as generated—essential in dynamic URLs, JavaScript, redirections, or when working with digital signatures or tokens.

In this article:

  • I explain what !RAW does and how it works in Oracle APEX substitutions.
  • You’ll see a real-world business example with signed approval links.
  • I’ll show you common mistakes and how to avoid them.

This article is useful for APEX developers, security specialists, and solution architects building dynamic apps where exact values matter.

Table of Contents

  1. What is !RAW in Oracle APEX?
  2. Syntax and usage context
  3. Real example: signed approval link with token
  4. Security and formatting considerations
  5. Best practices
  6. Conclusion and further resources

1. What is !RAW in Oracle APEX?

By default, Oracle APEX escapes special characters in substitutions like &ITEM. to prevent issues in HTML, JavaScript, and other contexts.

When you need the value to remain completely unchanged—without quotes, HTML encoding, or backslashes—you must use &MY_ITEM!RAW. or #COLUMN_NAME!RAW#.

This is critical when:

  • Building URLs with tokens or signatures
  • Inserting values into JavaScript
  • Embedding data in JSON or XML without encoding Blog Aprendiz Academy

2. Syntax and Usage Context

Substitution for items:

&MY_ITEM.        — escaped  
&MY_ITEM!RAW.    — unescaped

Substitution for columns:

#COLUMN_NAME#        — escaped  
#COLUMN_NAME!RAW#    — unescaped

Typical contexts:

  • In HTML: <a href="..."> links
  • In JavaScript: building dynamic objects
  • In URLs: passing signed or encoded parameters

3. Real Example: Signed Approval Link

Suppose you generate a SHA‑256 signed link for request approval, containing ID, TIMESTAMP, and a TOKEN generated on the backend:

sqlCopiarEditarSELECT
  'f?p=APP:PAGE::' || :APP_SESSION ||
  '::NO::P1_ID,P1_TOKEN:' || id || ',' || token AS enlace
FROM solicitudes;

In your APEX report, create a column using:

htmlCopiarEditar<a href="#ENLACE!RAW#">Approve request</a>

If you use #ENLACE# without !RAW, characters like &, =, %, or : get encoded and the link breaks. Using !RAW ensures it works correctly and directs users securely to the approval flow.

4. Security & Formatting Considerations

  • !RAW does not validate or escape anything—avoid using it with unsanitized user input.
  • Ideally, only use it with values generated by PL/SQL or controlled queries.
  • Always validate the token or signature on your target page to prevent tampering.

5. Best Practices

  • ✅ Use !RAW only when you’re sure the value doesn’t require escaping.
  • ✅ Apply server-side validation when values include tokens or sensitive IDs.
  • ✅ Document in your team when to use or avoid !RAW.
  • ✅ In JavaScript contexts, consider wrapping with APEX_ESCAPE.JAVASCRIPT_LITERAL if there’s user data.
  • ✅ Audit generated links to ensure no XSS or arbitrary code execution is possible.

6. Conclusion

Using !RAW in Oracle APEX empowers you to build more dynamic and reliable applications—when used correctly.

While it’s not magical, properly applied it enables you to:

  • Build signed links
  • Insert dynamic scripts without errors
  • Avoid automatic HTML escapes that break logic

It’s another valuable tool in your professional APEX developer toolkit.

Want to learn more?
Check Aprendiz Academy courses. Aprendiz Academy

Post a Comment

Your email address will not be published. Required fields are marked *