APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

When to not escape

user-skyworker_4418598Dec 17 2005 — edited Mar 12 2008

On page 13-2 of the 2.0 User's Guide it says the below. Can someone provide some guidance or examples of when it is appropriate to not escape output?

Thanks.

Bill

Items fetched from session state and rendered using htp.p or other methods should
be explicitly escaped by the code where it is appropriate to do so. For example,
suppose PL/SQL dynamic content region on a page uses the following:

htp.p(v(SOME_ITEM));

If the value of the item fetched from session state could contain unintended tags or
script, you might want to use the following in the region:

htp.p(htf.escape_sc(v(SOME_ITEM));

However, if you are confident that the fetched value is safe for rendering, you do not
need to escape the value. As a developer, you need to determine when it is appropriate to not escape output.

Locked Post

New comments cannot be posted to this locked post.

Locked on Apr 9 2008

Added on Dec 17 2005

#apex-discussions

56 comments

4,092 views