10.2 HTML Function

This function escapes characters which can change the context in an html environment. It is an extended version of the well-known sys.htf.escape_sc.

The function's result depends on the escaping mode that is defined by using apex_escape.set_html_escaping_mode. By default, the escaping mode is "Extended", but it can be overridden by manually calling set_html_escaping_mode or by setting the application security attribute "HTML Escaping Mode" to "Basic". If the mode is "Basic", the function behaves like sys.htf.escape_sc. Otherwise, the rules below apply.

The following table, Table 10-1, depicts ascii characters that the function transforms and their escaped values:

Table 10-1 Escaped Values for Transformed ASCII Characters

Raw ASCI Characters Returned Escaped Characters

&

&

"

"

<

&lt;

>

&gt;

'

&#x27;

/

&#x2F;

Syntax

APEX_ESCAPE.HTML (
    p_string IN VARCHAR2 )
    return VARCHAR2;

Parameters

Table 10-2 describes the parameters available in the HTML function.

Table 10-2 HTML Function Parameters

Parameter Description

p_string

The string text that is escaped

Example

This example tests escaping in basic ('B') and extended ('E') mode.

declare 
procedure eq(p_str1 in varchar2,p_str2 in varchar2) 
    is 
    begin 
        if p_str1||'.' <> p_str2||'.' then 
            raise_application_error(-20001,p_str1||' <> '||p_str2); 
    end if; 
end eq; 
begin 
    apex_escape.set_html_escaping_mode('B'); 
    eq(apex_escape.html('hello &"<>''/'), 'hello &amp;&quot;&lt;&gt;''/'); 
    apex_escape.set_html_escaping_mode('E'); 
    eq(apex_escape.html('hello &"<>''/'), 'hello
    &amp;&quot;&lt;&gt;&#x27;&#x2F;'); 
end;