(PL)SQL - HTML

I expected a function to validate HTML to be standard Oracle database functionality, but alas.
Some internet searching did return a few solutions, but none of those were as good as I needed them to be.

This was the most useful link I could find: https://forums.oracle.com/ords/apexds/post/how-validate-html-using-pl-sql-8336.
That post mentioned utl_i18n.escape_reference, but that will not work with HTML like e.g.: Hello&

So instead, I used apex_escape.html_allowlist_clob, which does work for the previous example.
However, by default that will not work for HTML like e.g.: Hello 
To get that to work, self-closing tags like - so I needed to exclude those.
Documentation on that: https://docs.oracle.com/en/database/oracle/apex/24.2/aeapi/HTML_ALLOWLIST-Function.html#GUID-AB0E2A42-D232-4AC6-9881-FE9437B9373E:
"The HTML_ALLOWLIST function performs HTML escape on all characters in the input text except the specified allowlist tags.
This function can be useful if the input text contains simple html markup but a developer wants to ensure that an attacker cannot use malicious tags for cross-site scripting."

I'm sure this is not 100% waterproof, but it worked well enough for me. If you have ideas for improvements please let me know.

Html	Expected	Is Valid Html	Escaped
<p>Hello</p>	Y	Y	<p>Hello</p>
<p>Hello&</p>	Y	Y	<p>Hello&amp;</p>
<p>Hello</p><br>	Y	Y	<p>Hello</p><br>
<p>Hello</p><br/>	Y	Y	<p>Hello</p><br/>
<p>Hello&</p	N	N	<p>Hello&amp;</p

Region

Identification
	Sequence	10
	Title	Validate HTML Examples
	Type	Report
Source
	Source Type	Report
	Region Source	with a as ( -- expected: Y select '<p>Hello</p>' as html ,'Y' as expected from dual -- union all select '<p>Hello&</p>' as html ,'Y' as expected from dual -- union all select '<p>Hello</p><br>' as html ,'Y' as expected from dual -- union all select '<p>Hello</p><br/>' as html ,'Y' as expected from dual -- union all -- expected: N select '<p>Hello&</p' as html ,'N' as expected from dual) select a.* ,ted_p1193.is_valid_html_yn(in_html => a.html) as is_valid_html ,apex_escape.html_allowlist(p_html => a.html,p_allowlist_tags => ted_p1193.html_allowlist_tags) as escaped from a

Package

Package
	Name	TED_P1193
	Source	package ted_p1193 is c_html_allowlist_tags constant varchar2(4000) := '<h1>,</h1>,<h2>,</h2>,<h3>,</h3>,<h4>,</h4>,<p>,</p>,<b>,</b>,<strong>,</strong>,<i>,</i>,<em>,</em>,<ul>,</ul>,<ol>,</ol>,<li>,</li>,<dl>,</dl>,<dt>,</dt>,<dd>,</dd>,<pre>,</pre>,<code>,</code>,<br />,<br/>,<hr/>'; /* We need this string for apex_escape.html_allowlist_clob Documentation: https://docs.oracle.com/en/database/oracle/apex/24.2/aeapi/HTML_ALLOWLIST_CLOB-Function.html p_allowlist_tags = constant apex_escape.c_html_allowlist_tags = "The comma-separated list of tags that stays in p_html." Because the xmltype.createxml fails for html that contains self-closing tags like <br>, and constant apex_escape.c_html_allowlist_tags includes two of those, I exclude them from this version: '<br>,<BR>' */ function html_allowlist_tags return varchar2; function is_valid_html(in_html clob) return boolean; function is_valid_html_yn(in_html clob) return varchar2; end ted_p1193;

Package Body

Package Body
	Name	TED_P1193
	Source	package body ted_p1193 is function is_valid_html(in_html clob) return boolean is l_xmltype xmltype; e_xml_parse_err exception; pragma exception_init(e_xml_parse_err, -31011); begin l_xmltype := xmltype.createxml('<root>' -- \|\| apex_escape.html_allowlist_clob(p_html => in_html ,p_allowlist_tags => c_html_allowlist_tags -- custom allowlist_tags is needed for self-closing tags like <br/> ) -- \|\| '</root>') -- apex_escape.html_allowlist_clob is needed for html entities like & ; return true; exception when e_xml_parse_err then return false; end is_valid_html; function html_allowlist_tags return varchar2 is begin return c_html_allowlist_tags; end html_allowlist_tags; function is_valid_html_yn(in_html clob) return varchar2 is begin if is_valid_html(in_html => in_html) then return 'Y'; else return 'N'; end if; end is_valid_html_yn; end ted_p1193;

Validate HTML

Validate HTML Examples

Code

Region

Package

Package Body