Hi APEX Devs,
I need your help regarding apex_escape.html and HTML escaping in APEX to prevent CSS security issues.
In our Application, end users have the feasibility to define different NLS translations for labels used. These translations are considered while displaying labels and we are using &F101_SETTINGS_NLS. substitution to enforce dynamic labels based on logged in language.
Such substitutions are used for Item labels, Region titles, breadcrumb, lists etc.
F3568_SETTINGS_NLS is filled using DB function get_translated_label(:NLS);
:F3568_SETTINGS_NLS := get_translated_label(:NLS); -- This returns escaped result
In this DB function we use apex_escape.html to escape HTML by default while fetching. Also our application HTML escaping is et to "Extended".
Now when we used &F101_SETTINGS_NLS. for an item label like "Info & Settings", it appears as Info & Settings. So used RAW substitution as &F101_SETTINGS_NLS!RAW.
Raw substitution works fine for Regions labels, page items, buttons, Notifications. But does not work for Lists, Inline errors, page titles, breadcrumbs etc.

Downgrading the HTML escaping to basic is not an option since we want to fix this issue for all characters and not few.
Removing apex_escape.html from our function would mean some components (breadcrumbs, Notifications) when substituted using &&F101_SETTINGS_NLS. will render HTML as is and will result in Cross site scripting
What's the best approach to handle these?
Thanks and Regards.
Edit 1:
In grids, without any explicit escaping, special characters are being handled correctly in column headers but messed up in other places.
