This function escapes characters which can change the context in an html environment. It is an extended version of the well-known sys.htf.escape_sc.
The function's result depends on the escaping mode that is defined by using apex_escape.set_html_escaping_mode. By default, the escaping mode is "Extended", but it can be overridden by manually calling set_html_escaping_mode or by setting the application security attribute "HTML Escaping Mode" to "Basic". If the mode is "Basic", the function behaves like sys.htf.escape_sc. Otherwise, the rules below apply.
The following table, Table 9-1, depicts ascii characters that the function transforms and their escaped values:
Table 9-1 Escaped Values for Transformed ASCII Characters
| Raw ASCI Characters | Returned Escaped Characters |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
' |
|
|
|
|
Syntax
APEX_ESCAPE.HTML (
p_string IN VARCHAR2 )
return VARCHAR2;
Parameters
Table 9-2 describes the parameters available in the HTML function.
Table 9-2 HTML Function Parameters
| Parameter | Description |
|---|---|
|
|
The string text that is escaped |
Example
This example tests escaping in basic ('B') and extended ('E') mode.
declare
procedure eq(p_str1 in varchar2,p_str2 in varchar2)
is
begin
if p_str1||'.' <> p_str2||'.' then
raise_application_error(-20001,p_str1||' <> '||p_str2);
end if;
end eq;
begin
apex_escape.set_html_escaping_mode('B');
eq(apex_escape.html('hello &"<>''/'), 'hello &"<>''/');
apex_escape.set_html_escaping_mode('E');
eq(apex_escape.html('hello &"<>''/'), 'hello
&"<>'/');
end;