Component to inject and interpret String with HTML code into JSF page

Question

I\'m using PrimeFaces with JSF 2.0 to build one application. I\'m using PrimeFaces component to enable user to create rich text. But the output

Answer 1

JSF by default escapes HTML from backing bean properties in order to prevent XSS attack holes. To disable this, just set the escape attribute of the <h:outputText> to false.

<h:outputText ... escape="false" />

This way the HTML won't be escaped and will thus be interpreted by the webbrowser.

---

Unrelated to the concrete problem, beware of XSS attacks as you're here basically redisplaying user-controlled input unescaped. You might want to sanitize it beforehand.

• What is the general concept behind XSS?
• CSRF, XSS and SQL Injection attack prevention in JSF
• Server side HTML sanitizer/cleanup for JSF
• Escape everything but linebreaks in h:outputText