HTML_ATTRIBUTE Function

Important:

When using HTML_ATTRIBUTE for plain text attributes (such as title, placeholder, aria-label), you may expose HTML code to end users. To exclude HTML code exposed to end users for similar plain text attributes, avoid calls to HTML_ATTRIBUTE function.

WARNING:

Do not use the HTML_ATTRIBUTE function to escape such attributes as aria-label, alt, summary and other attributes because they produce visually hidden content that is not obvious when HTML code is exposed to users of assistive technologies.

Tip:

Oracle recommends GET_HTML_ATTR Function to escape all HTML attributes instead of this function.

GET_HTML_ATTR enables you to choose the proper algorithm to escape the attribute value.

This function escapes the values of HTML entity attributes. The API hex escapes everything that is not alphanumeric or within one of the following characters:

,
.
-
_

Syntax

APEX_ESCAPE.HTML_ATTRIBUTE (
    p_string IN VARCHAR2 )
    RETURN VARCHAR2 deterministic;

Parameters

Table 24-10 HTML_ATTRIBUTE Parameters

Parameter	Description
`p_string`	The text string that is escaped.

Example

This example generates a HTML list of titles and text bodies. HTML entity attributes are escaped with HTML_ATTRIBUTE, whereas normal text is escaped with HTML and HTML_TRUNC.

BEGIN
    htp.p('<ul>');

    for l_data in ( select title, cls, body
        from my_topics )
    LOOP
        sys.htp.p('<li><span class="'||
            apex_escape.html_attribute(l_data.cls)||'">'||
            apex_escape.html(l_data.title)||'</span>');
        sys.htp.p(apex_escape.html_trunc(l_data.body));
        sys.htp.p('</li>');
    END LOOP;

    htp.p('</ul>');
END;