21.12 HTML_CLOB Function
This function escapes characters which can change the context in an HTML environment. It is an extended version of the well-known SYS.HTF.ESCAPE_SC.
The function's result depends on the escaping mode that is defined by using SET_HTML_ESCAPING_MODE. By default, the escaping mode is "Extended", but it can be overridden by manually calling SET_HTML_ESCAPING_MODE or by setting the "application security attribute HTML Escaping Mode" to "Basic." If the mode is Basic, the function behaves like SYS.HTF.ESCAPE_SC. Otherwise, the rules below apply.
The following table, depicts ASCII characters that the function transforms and their escaped values:
Table 21-12 Escaped Values for Transformed ASCII Characters
| Raw ASCII Characters | Returned Escaped Characters |
|---|---|
& |
& |
" |
" |
< |
< |
> |
> |
| ' | ' |
/ |
/ |
In addition, the function may escape unicode characters if the database NLS character set is not UTF-8 or if the REQUEST_IANA_CHARSET HTTP header variable is set to something different than UTF-8 (which is the default). If unicode escaping applies, these characters are escaped via &#xHHHH; where HHHH is the unicode hex code.
Syntax
APEX_ESCAPE.HTML_CLOB (
p_string IN CLOB )
RETURN CLOB deterministic;Parameters
Table 21-13 HTML_CLOB Parameters
| Parameter | Description |
|---|---|
p_string |
The string text that is escaped. |
Example
The following example tests escaping in basic (B) and extended (E) mode.
DECLARE
procedure eq(p_str1 in clob,p_str2 in clob)
is
BEGIN
IF dbms_lob.compare(p_str1||'.', p_str2||'.') <> 0 THEN
raise_application_error(-20001,'p_str1 <> p_str2');
END IF;
END eq;
BEGIN
apex_escape.set_html_escaping_mode('B');
eq(apex_escape.html_clob('hello &"<>''/'), 'hello &"<>''/');
apex_escape.set_html_escaping_mode('E');
eq(apex_escape.html_clob('hello &"<>''/'), 'hello &"<>'/');
END;Parent topic: APEX_ESCAPE