I am making form with user input form as you can see the image.
Because of XSS, I am using Apex's own security option:
Restricted characters : Blocklist &<>"/;,*|=% and --
Is there any way that when I type "&" this automatically convert into &? or can I create my custom restricted characters or mapping? I have looked into apex_escape function, but didn't find a suitable use.
You state "Because of XSS i am using Apex own security option". Why is that ? What are you trying to avoid by doing this ? Changing the data while a user is typing it is going to be frustrating for the user. My advice would be to not modify the input but instead secure how the data is displayed. APEX gives a lot of options to do that.
If the data is used in a report the output can be html escaped using Security > Escape special characters attribute.
If the data is displayed in a page using the &P1_ITEM. notation then the output can be sanitized using the relevant output escaping depending on where it is used .
If you decide to go the other route and you do want to sanitize the input then it's a question of how the data will be used later on in the application. You could create an after submit computation on the page item using any of the available methods in the APEX_ESCAPE api depending on what the expected use of the data is.
Another option is, as you suggest, to create a custom block list. The implementation of the restricted characters functionality is a client side validation. That can be achieved with a dynamic action and some javascript code (up to you to write that). It can also be done server side with a normal validation like the one below.
DECLARE
l_blacklist_chars apex_t_varchar2;
BEGIN
apex_string.push(l_blacklist_chars,'&');
apex_string.push(l_blacklist_chars,'<');
apex_string.push(l_blacklist_chars,'>');
FOR i IN 1 .. l_blacklist_chars.COUNT LOOP
IF INSTR(:P312_CUSTOM_BLOCKLIST,l_blacklist_chars(i)) > 0 THEN
RETURN false;
END IF;
END LOOP;
END;
