JSF please don't escape my html [duplicate]_问答_开发者

JSF please don't escape my html [duplicate]

开发者 https://www.devze.com 2023-04-05 02:46 出处：网络

This question already has an answer here: Component to inject and interpret String with HTML code into JSF page

This question already has an answer here: Component to inject and interpret String with HTML code into JSF page (1 answer) Closed 6 years ago.

From the dbms I get stuff like <fon开发者_开发知识库t color="red"> abc</font>. When it reaches the ${someManagedBean.someValue} in my xhtml file the output is sanitized. That is great for 99,999% of all cases.

Question: Is there some way to disable this auto escaping?

Bonus Question: Can I only allow html and disallow javascript?

<h:outputText value="#{someManagedBean.someValue}" escape="false" />

https://docs.oracle.com/javaee/7/javaserver-faces-2-2/vdldocs-facelets/h/outputText.html

escape=false

Not sure about preventing JS only though. You might have to parse the HTML yourself to get rid of <script> and contents.

EDIT - Removed link (http://www.jsftoolbox.com/documentation/help/12-TagReference/html/h_outputText.html) because it was stale. Replaced with Oracle link.

outputFormat tag can help you. Please check http://www.mkyong.com/jsf2/jsf-2-outputformat-example/