Menu
From the dbms I get stuff like <font color="red"> abc</font>. When it reaches the ${someManagedBean.someValue} in my xhtml file the output is sanitized. That is great for 99,999% of all cases.
Question: Is there some way to disable this auto escaping?
Bonus Question: Can I only allow html and disallow javascript?
827
<h:outputText value="#{someManagedBean.someValue}" escape="false" />
https://docs.oracle.com/javaee/7/javaserver-faces-2-2/vdldocs-facelets/h/outputText.html
escape=false
Not sure about preventing JS only though. You might have to parse the HTML yourself to get rid of <script> and contents.
EDIT - Removed link (http://www.jsftoolbox.com/documentation/help/12-TagReference/html/h_outputText.html) because it was stale. Replaced with Oracle link.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
