Home > Managing Application Security > About Cross-Site Scripting ... > Protecting Dynamic Output
Items fetched from session state and rendered using htp.p
or other methods should be explicitly escaped by the code where it is appropriate to do so. For example, suppose a PL/SQL dynamic content region on a page uses the following:
htp.p(v('SOME_ITEM'));
If the value of the item fetched from session state could contain unintended tags or scripts, you might want to use the following in the region:
htp.p(htf.escape_sc(v('SOME_ITEM')));
However, if you are confident that the fetched value is safe for rendering, you do not need to escape the value. As a developer, you need to determine when it is appropriate to not escape output.
As a best practice, follow this rule:
Never emit an item fetched from session state without escaping it unless the item is one of the safe types described in "About Safe Item Display Types".
The reason for this is that as a developer, there is no way you can prevent a hacker from posting a malicious value into a non-safe item. Even if your application does not present these items visibly to ordinary users, be aware that a hacker can mount a XSS attack using your application if you do not follow this rule.