In the world of web development, safely displaying data is just as important as storing or processing it. Oracle APEX, a powerful low-code platform for building data-centric applications, includes a built-in package called APEX_ESCAPE designed specifically to protect your applications from XSS attacks and unsafe output.

In this article, we’ll first get familiar with this package, and then walk through real-world scenarios showing exactly how to use it to make your Oracle APEX apps more secure.

---

What is the APEX_ESCAPE Package and Why Does it Matter?

APEX_ESCAPE is a PL/SQL package in Oracle APEX that lets you escape user data before displaying it in the browser. Escaping means converting characters like <, >, ", and ' into their safe equivalents so the browser doesn’t interpret them as HTML or JavaScript code.

If you don’t escape user-generated content, malicious code could be executed on the page — something we refer to as a Cross-Site Scripting (XSS) attack.

---

Core Functions of APEX_ESCAPE

Oracle APEX provides different escaping functions tailored for each type of content. Here's a quick reference table:

---

Why Use APEX_ESCAPE?

Although APEX does automatic escaping in some components, there are still several areas where you’re responsible for securing output, especially:

• HTML Regions (PL/SQL or Static Content)

• JavaScript code (in dynamic actions or inline)

• Report columns (if using raw HTML or custom SQL)

If you're showing user input, it’s your job to escape it.

---

Real-World Examples of Using APEX_ESCAPE

Now let’s walk through practical scenarios where you’ll use APEX_ESCAPE to protect your app — each with a clear before-and-after transformation.

---

1. Escaping Output in Interactive Reports (Prevent XSS)

Unsafe version:

SELECT id, message_text FROM messages;

If a user submits:

<script>alert('XSS')</script>

…it will execute in the browser.

Safe version using apex_escape.html:

SELECT id, apex_escape.html(message_text) AS message_text FROM messages;

Output becomes:

<script>alert('XSS')</script>

---

2. Escaping HTML Region Output

Let’s say you have a region like:

<p>Hello, <%= :P1_NAME %></p>

If P1_NAME is:

</p><script>alert('x')</script>

…it will execute malicious code.

Use apex_escape.html:

<p>Hello, <%= apex_escape.html(:P1_NAME) %></p>

---

3. Escaping JavaScript Literals in Dynamic Actions

You write JavaScript like this:

var name = '&P1_NAME.';

If the user enters:

";alert(1);//

…it breaks out and runs alert().

Use JS literal escape:

var name = '#APEX_ESCAPE.JS_LITERAL:P1_NAME#';

Now even dangerous input is shown as text, not code.

---

4. Creating Safe HTML Links with html_attribute

Building custom links like this:

'<a href="page?p=' || :P1_SEARCH || '">Go</a>'

If the value is:

"><script>alert(1)</script>

…you’re in trouble.

Safe version:

'<a href="page?p=' || apex_escape.html_attribute(:P1_SEARCH) || '">Go</a>'

---

5. Stripping Tags from User Input

Sometimes you don’t want to show any HTML at all, just plain text.

Use strip_tags:

:P1_COMMENT := apex_escape.strip_tags(:P1_RAW_INPUT);

---

6. Exporting Clean Data to CSV

To avoid breaking CSV structure with commas, quotes, or newlines:

SELECT apex_escape.csv(name), apex_escape.csv(note) FROM users;

---

Conclusion

Oracle APEX makes it easy to build apps quickly — but security is still your responsibility. The APEX_ESCAPE package is your first line of defense against XSS attacks and unsafe content rendering.