Component to inject and interpret String with HTML code into JSF page

Question

I'm using PrimeFaces with JSF 2.0 to build one application. I'm using PrimeFaces <p:editor> component to enable user to create rich text. But the output of this component is HTML source which look like this:

String text = "<p>This text <i>contains</i> some <b>HTML</b> code.</p>";

When I show this in a <h:outputText> as below:

<h:outputText value="#{bean.text}" />

Then it shows the HTML code as plain text:

<p>This text <i>contains</i> some <b>HTML</b> code.</p>

Is there any component which can interpret the HTML source so that e.g. <i> is actually shown as italics and <b> as bold?

This text contains some HTML code.

Answer 1

JSF by default escapes HTML from backing bean properties in order to prevent XSS attack holes. To disable this, just set the escape attribute of the <h:outputText> to false.

<h:outputText ... escape="false" />

This way the HTML won't be escaped and will thus be interpreted by the webbrowser.

---

Unrelated to the concrete problem, beware of XSS attacks as you're here basically redisplaying user-controlled input unescaped. You might want to sanitize it beforehand.

• What is the general concept behind XSS?
• CSRF, XSS and SQL Injection attack prevention in JSF
• Server side HTML sanitizer/cleanup for JSF
• Escape everything but linebreaks in h:outputText