HTML_WHITELIST Function

The HTML_WHITELIST function performs HTML escape on all characters in the input text except the specified whitelist tags. This function can be useful if the input text contains simple html markup but a developer wants to ensure that an attacker cannot use malicious tags for cross-site scripting.

Syntax

APEX_ESCAPE.HTML_WHITELIST (
    p_html IN VARCHAR2,
    p_whitelist_tags IN VARCHAR2 DEFAULT c_html_whitelist_tags )
    return VARCHAR2;

Parameters

Table 12-5 HTML_WHITELIST Function Parameters

Parameter	Description
p_html	The text string that is filtered.
p_whitelist_tags	The comma separated list of tags that stays in p_html.

Example

This example shows how to use HTML_WHITELIST to remove unwanted html markup from a string, while preserving whitelisted tags.

begin     sys.htp.p(apex_escape.html_whitelist(         '<h1>Hello<script>alert("XSS");</script></h1>')); end;

See Also:

• "HTML_ATTRIBUTE Function"

• "HTML Function"

• "HTML_TRUNC Function"

• "SET_HTML_ESCAPING_MODE Procedure"