Escape HTML / XML / JS content or URI / URL in ABAP

ABAP offers predefined function called escape( ) which is available as of SAP_BASIS >= 731.

Whenever you need to convert your data from unescaped to escaped string, you can use this escape function. There are several options which escaped function provides. You can escape HTML, XML, JS, JSON content or its combination, URL and URI links. You can also use escape function for Cross-site scripting as you can see in this link.

Escaping XML, HTML, JS content

Following table (taken from ABAP documentation) shows which characters are converted for specific formats. Those with – are not escaped.

Format & < > TAB VD CR BS FF \ ctrl-char
E_XML_TEXT &amp; &lt;
E_XML_ATTR &amp; &lt; &quot; &apos; &#9; &#xA; &#xD;
E_XML_ATTR_SQ &amp; &lt; &apos; &#9; &#xA; &#xD;
E_HTML_TEXT &amp; &lt; &gt;
E_HTML_ATTR &amp; &lt; &gt; &quot; &#39;
E_HTML_ATTR_DQ &amp; &lt; &gt; &quot;
E_HTML_ATTR_SQ &amp; &lt; &gt; &#39;
E_HTML_JS \” \’ \t \n \r \b \f \\ \xhh
E_HTML_JS_HTML &amp; &lt; &gt; &quot; &#39; \t \n \r \b \f \\ \xhh

Be aware of the fact, that XML attribute and element data are escaped in different way, this is why there are different rules for formats E_XML_TEXT and E_XML_ATTR. Complete information can be found here. The same applies to HTML, so it is only up to your use case which format will you need to use.

Escaping URL / URI

There is similar approach for escaping URL and URI addresses. You will choose appropriate format which suits your needs.

Format Unconverted Characters
E_URL [0-9][a-z][A-Z]!$()*+,._&/:;=?@
E_URL_FULL [0-9][a-z][A-Z]!$()*+,._
E_URI [0-9][a-z][A-Z]!$()*+,._&/:;=?@~#[]
E_URI_FULL [0-9][a-z][A-Z]._~

Example of converting XML text


More information can be found in ABAP documentation.

Peter Marcely

ABAP, Python, JavaScript developer