# Avoid Malicious JavaScript in Lists Recently I was asked to review and test an APEX application to fulfill the security team requirements before we can publish it, making an emphasis in escaping special characters. In General, APEX takes care of this. If you see the attributes of an Page Item or a Region, you're going to find a switch (On by default) to escape especial characters, but we found an exception. So the scenario would be this, let's say we create a simple list based on a query like the one shown bellow ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705685284390/50b5a420-bcf8-44bb-9d37-59be458eaee5.png align="center") Then add this list to a region displayed as links list ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705686766654/3f59fcd1-bc42-4dd3-afab-6d9613b2e42b.png align="center") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705686812515/347fbf91-519e-40bb-baf6-7c5f334a6216.png align="center") So the example looks like this: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705686868990/619bc594-f1b9-4cbf-8ca1-71c1de764f4f.png align="center") Now, if you allow users to insert data that is going to be shown in a list, here is where the issue comes up. Let's use a form to add a new profile ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705687017136/250415a6-9e1e-40ac-a6a0-1a7f6acb3069.png align="center") The new record shows correctly here ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705687052551/cd336d8f-7c1d-4461-9807-b4085dfc1ebf.png align="center") Now let's add another record, this time adding some JavaScript conde and see what happens ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705687149939/d1feeccf-df37-40f1-9e66-3d16e1877280.png align="center") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705687181006/2108fc23-0621-4553-8180-7663cca1b807.png align="center") JavaScript code was executed!! Execution happens when the list region is loaded. As you can see bellow, after closing the alert, the script characters are not escaped in the list. And we don't have an attribute to avoid this behavior. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705687317693/eba5a472-1ee5-49db-a6c8-f229bcdc6824.png align="center") But don't worry, there is a solution. APEX comes with a series of packages and API's to help us, one of them is [apex\_escape](https://docs.oracle.com/en/database/oracle/apex/23.2/aeapi/APEX_ESCAPE.html) that "provides functions for escaping special characters in strings to ensure that the data is suitable for further processing". So, let's add to our query apex\_escape.html function and see how the output changes. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705687993654/9b70f01b-b75d-41fe-9b2b-f9ef9e938412.png align="center") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1705688063984/ef93e89e-241c-48be-9d76-47753f770a1e.png align="center") Now we can see the special characters being escaped in the list, and that piece of code is no longer executed.