Databases Reference
In-Depth Information
The following screenshot shows a safe item type. The text is escaped in the browser
and in the session state.
Protecting HTML regions and other static areas
Session states can be referenced by the
&ITEM
notation.
Protecting dynamic output
Items fetched and rendered should explicitly escape special characters.
Protecting reports regions
In Application Express 4.1 and higher, report attributes have the default value
of
Display as Text (escape special characters, does not save state)
. Any extra
embedded HTML code will be ignored during page rendering.
The following screenshot shows an item of the type
Display as Text
(escape special characters)
:
Protecting form items
When form items, including hidden items, obtain their values during the
generation of the form page to be sent to the browser, the resulting text is
escaped before rendering.
The rules for cross-site scripting that must be taken into account are as follows:
• Escape Special Characters (
<>
&
) and
/
or escape output.
• Use of
sys.htf.escape_sc
.
