26.8 HTML_ALLOWLIST Function
The HTML_ALLOWLIST function performs HTML escape on all characters in the input text except the specified allowlist tags. This function can be useful if the input text contains simple html markup but a developer wants to ensure that an attacker cannot use malicious tags for cross-site scripting.
Syntax
APEX_ESCAPE.HTML_ALLOWLIST (
p_html IN VARCHAR2,
p_allowlist_tags IN VARCHAR2 DEFAULT c_html_allowlist_tags )
RETURN VARCHAR2 deterministic;Parameters
| Parameter | Description |
|---|---|
p_html |
The text string that is filtered. |
p_allowlist_tags |
The comma separated list of tags that stays in p_html.
|
Example
This example shows how to use HTML_ALLOWLIST to remove unwanted html markup from a string, while preserving allowlisted tags.
BEGIN
sys.htp.p(apex_escape.html_allowlist(
'<h1>Hello<script>alert("XSS");</script></h1>'));
END;See Also:
Parent topic: APEX_ESCAPE