It seems I've had this on my "to blog" list since April 2015, but now that 5.1 has been released, it seems more people are coming out to leave 4.x can't work out where the Standard Report Column option is.
|APEX 4.x Display As attribute|
This was required when HTML was present in the query, either to add tabular items manually using apex_item, or to style data (though you should use HTML Expression instead)
|Example of special characters being escaped|
For instance, if you've written a query like so
SELECT APEX_ITEM.CHECKBOX2(1, empno, 'CHECKED') chk, ename
ORDER BY 1
And are only seeing the HTML code in your column output
<input type="checkbox" name="f01" value="7369" CHECKED />
Then you need to Escape Special Characters, now found in the Security section of the column properties as a Yes/No option.
|APEX 5.0 Escape Special Characters attribute|
This is defaulted to Yes to help protect from cross-site scripting (XSS), a common security concern in the web world where data entered by users is stored in the database, then when rendered it can be interpreted as HTML code.
Set to No to allow your data to be rendered as you may expect.
Note that in the 5.0 component view this is still referenced as Display As - Standard Report Column.
The change in terminology is documented in the 5.0 release notes
|Report column property naming differences|
replace(apex_escape.html(card_title), chr(10), '<br>')
You could probably do a variation of this using apex_escape.html_whitelist
If you're combining two fields, separated by the line break:
then you might as well use HTML Expression and keep your data/UI layers separate.
|HTML Expression attribute|
Check out the open source project APEX-SERT to help find potential security concerns with your Oracle APEX applications.
See escaping examples in APEX reports here