ABAP offers predefined function called escape( ) which is available as of SAP_BASIS >= 731.
Whenever you need to convert your data from unescaped to escaped string, you can use this escape function. There are several options which escaped function provides. You can escape HTML, XML, JS, JSON content or its combination, URL and URI links. You can also use escape function for Cross-site scripting as you can see in this link.
Escaping XML, HTML, JS content
Following table (taken from ABAP documentation) shows which characters are converted for specific formats. Those with – are not escaped.
Format | & | < | > | “ | ‘ | TAB | VD | CR | BS | FF | \ | ctrl-char |
E_XML_TEXT | & | < | – | – | – | – | – | – | – | – | – | – |
E_XML_ATTR | & | < | – | " | ' | 	 | 
 | 
 | – | – | – | – |
E_XML_ATTR_SQ | & | < | – | – | ' | 	 | 
 | 
 | – | – | – | – |
E_HTML_TEXT | & | < | > | – | – | – | – | – | – | – | – | – |
E_HTML_ATTR | & | < | > | " | ' | – | – | – | – | – | – | – |
E_HTML_ATTR_DQ | & | < | > | " | – | – | – | – | – | – | – | – |
E_HTML_ATTR_SQ | & | < | > | – | ' | – | – | – | – | – | – | – |
E_HTML_JS | – | – | – | \” | \’ | \t | \n | \r | \b | \f | \\ | \xhh |
E_HTML_JS_HTML | & | < | > | " | ' | \t | \n | \r | \b | \f | \\ | \xhh |
Be aware of the fact, that XML attribute and element data are escaped in different way, this is why there are different rules for formats E_XML_TEXT and E_XML_ATTR. Complete information can be found here. The same applies to HTML, so it is only up to your use case which format will you need to use.
Escaping URL / URI
There is similar approach for escaping URL and URI addresses. You will choose appropriate format which suits your needs.
Format | Unconverted Characters |
E_URL | [0-9], [a-z], [A-Z], !, $, ‘, (, ), *, +, ,, –, ., _, &, /, :, ;, =, ?, @ |
E_URL_FULL | [0-9], [a-z], [A-Z], !, $, ‘, (, ), *, +, ,, –, ., _ |
E_URI | [0-9], [a-z], [A-Z], !, $, ‘, (, ), *, +, ,, –, ., _, &, /, :, ;, =, ?, @, ~, #, [, ] |
E_URI_FULL | [0-9], [a-z], [A-Z], –, ., _, ~ |
Example of converting XML text
1 2 3 4 5 |
DATA: xml_content TYPE string, unescaped_xml_content TYPE string. xml_content = escape( val = unescaped_xml_content format = cl_abap_format=>e_xml_text ). |
More information can be found in ABAP documentation.