26.7 HTML Function
This function escapes characters which can change the context in an HTML environment. It is an extended version of sys.htf.escape_sc.
This function's result depends on the escaping mode that is defined by using apex_escape.set_html_escaping_mode. By default, the escaping mode is Extended, but it can be overridden by manually calling set_html_escaping_mode or by setting the application security attribute HTML Escaping Mode to Basic. If the mode is Basic, the function behaves like sys.htf.escape_sc. Otherwise, the rules below apply.
The following table, depicts ASCII characters that the function transforms and their escaped values:
| Raw ASCII Characters | Returned Escaped Characters |
|---|---|
& |
& |
" |
" |
< |
< |
> |
> |
| ' | ' |
/ |
/ |
Syntax
APEX_ESCAPE.HTML (
p_string IN VARCHAR2 )
RETURN VARCHAR2 deterministic;Parameters
| Parameter | Description |
|---|---|
p_string |
The string text that is escaped. |
Example
This example tests escaping in basic (B) and extended (E) mode.
DECLARE
procedure eq(p_str1 in varchar2,p_str2 in varchar2)
is
BEGIN
IF p_str1||'.' <> p_str2||'.' THEN
raise_application_error(-20001,p_str1||' <> '||p_str2);
END IF;
END eq;
BEGIN
apex_escape.set_html_escaping_mode('B');
eq(apex_escape.html('hello &"<>''/'), 'hello &"<>''/');
apex_escape.set_html_escaping_mode('E');
eq(apex_escape.html('hello &"<>''/'), 'hello
&"<>'/');
END;See Also:
Parent topic: APEX_ESCAPE