JSF 2.0; escape = "false" alternative to prevent XSS?
In my jsf webapplication I am using message.properties to output some text. This text may have html line breaks, so format the output text.
Everything works fine if I set the escape = "false" attribute on the output text.
The problem is that this "false" attribute does not interfere with vor XSS (cross site scripting), so I remove this attribute and use the default "true".
So, I don't want to split all text lines into separate properties in my .properties messages like in this example:
mytext = This is my text<br />with line break and user value {0}...
after
mytext1 = This is my text
mytext2 = with line break and user value {0}...
is there any way other than escape = "false" but that prevents xss from being used?
thank!
source to share
It should be possible to just exit a user supplied parameter using the standard jstl functions in the namespace http://java.sun.com/jsp/jstl/functions
:
<h:outputFormat value="#{bundle.myMessage}" escape="false">
<f:param value="#{fn:escapeXml(param)}"/>
</h:outputFormat>
source to share