26.12 HTML_CLOB Function
This function escapes characters which can change the context in an HTML environment. It is an extended version of the well-known SYS.HTF.ESCAPE_SC
.
The function's result depends on the escaping mode that is defined by using SET_HTML_ESCAPING_MODE
. By default, the escaping mode is "Extended", but it can be overridden by manually calling SET_HTML_ESCAPING_MODE
or by setting the "application security attribute HTML Escaping Mode" to "Basic." If the mode is Basic, the function behaves like SYS.HTF.ESCAPE_SC
. Otherwise, the rules below apply.
The following table, depicts ASCII characters that the function transforms and their escaped values:
Table 26-1 Escaped Values for Transformed ASCII Characters
Raw ASCII Characters | Returned Escaped Characters |
---|---|
& |
& |
" |
" |
< |
< |
> |
> |
' | ' |
/ |
/ |
In addition, the function may escape unicode characters if the database NLS character set is not UTF-8 or if the REQUEST_IANA_CHARSET
HTTP header variable is set to something different than UTF-8 (which is the default). If unicode escaping applies, these characters are escaped via &#xHHHH;
where HHHH
is the unicode hex code.
Syntax
APEX_ESCAPE.HTML_CLOB (
p_string IN CLOB )
RETURN CLOB deterministic;
Parameters
Parameter | Description |
---|---|
p_string |
The string text that is escaped. |
Example
The following example tests escaping in basic (B
) and extended (E
) mode.
DECLARE
procedure eq(p_str1 in clob,p_str2 in clob)
is
BEGIN
IF dbms_lob.compare(p_str1||'.', p_str2||'.') <> 0 THEN
raise_application_error(-20001,'p_str1 <> p_str2');
END IF;
END eq;
BEGIN
apex_escape.set_html_escaping_mode('B');
eq(apex_escape.html_clob('hello &"<>''/'), 'hello &"<>''/');
apex_escape.set_html_escaping_mode('E');
eq(apex_escape.html_clob('hello &"<>''/'), 'hello &"<>'/');
END;
Parent topic: APEX_ESCAPE