This discussion is archived
1 Reply Latest reply: Nov 26, 2012 1:17 AM by mkirtley-Oracle RSS

encoding using UTL_I18N.ESCAPE_REFERENCE

975831 Newbie
Currently Being Moderated
Hi All,

I am facing a problem with UTL_I18N.ESCAPE_REFERENCE.
In my project to protect against xml injection problem the data entered by the user is being encoded and passed to database.

for any special characters received as input, the application encodes this data
eg if the user enters encoded
< '&#x3c;'

> '&#x3e;'

And so on.

I can use the UTL_I18N.UNESCAPE_REFERENCE function and get the exact string entered by user.

Select UTL_I18N.UNESCAPE_REFERENCE('<>') x from dual;

Output
x
------
<>

But when i use the UTL_I18N.ESCAPE_REFERENCE function to encode the above output it gives me some other string

Select UTL_I18N.ESCAPE_REFERENCE('<>') x from dual;

Output
x
------------
&lt;&gt;

Can someone please help me get the string to encoded to original i.e '<>'.

My findings on this has been that the characters are encoded as entities but what i am looking for is propably hex rendering of it. Please refer to the below link

http://www.htmlhelp.com/reference/html40/entities/special.html


I observe the site is protecting against xml injection as is converting some text. So the post might not look correct. ESCAPE_REFERENCE returns the values in the entity column but i expect the value in the hex column (refer the link please).



Thanks in advance
Rahul.

Edited by: user11209150 on Nov 22, 2012 10:33 PM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points