3.10.2 Controlling Output Escaping in Substitution Strings

Learn about controlling output escaping in substitution strings.

You can escape special characters in the substitution value by appending an exclamation mark (!) followed by a predefined filter name to a page or application item name, report column, or other substitution string. Output escaping is an important security technique to avoid Cross Site Scripting (XSS) attacks in the browser. Oracle APEX already makes a best effort to automatically escape characters in a HTML or JavaScript context. With this extended syntax, developers have fine-grained control over the output.

Available Escape Filters

Available escape filters include:

• HTML escapes reserved HTML characters, for example:

  • Item:

    &P1_DEPTNO!HTML.

  • Interactive grid column:

    &ENAME!HTML.

  • Columns in other reports:

    #ENAME!HTML#

  See Also:

  APEX_ESCAPE in Oracle APEX API Reference
• ATTR escapes reserved characters in a HTML attribute context, for example:

  • Interactive grid column:

    &ENAME!ATTR.

  • Columns in other reports:

    #ENAME!ATTR#

  See Also:

  HTML_ATTRIBUTE Function in Oracle APEX API Reference
• JS escapes reserved characters in a JavaScript context, for example:

  • Item:

    &P1_DEPTNO!JS.

  • Interactive grid column:

    &ENAME!JS.

  • Columns in other reports:

    #ENAME!JS#

  Note:

  The JS escape filter is not supported by substitutions performed on the client.

  See Also:

  JS_LITERAL Function in Oracle APEX API Reference
• RAW preserves the original item value and does not escape characters, for example:

  • Item:

    &P1_DEPTNO!RAW.

  • Interactive grid column:

    &ENAME!RAW.

  • Columns in other reports:

    #ENAME!RAW#

• STRIPHTML removes HTML tags from the output and escapes reserved HTML characters, for example:

  • Item:

    &P1_DEPTNO!STRIPHTML.

  • Interactive grid column:

    &ENAME!STRIPHTML.

  • Columns in other reports:

    #ENAME!STRIPHTML#