JSF 2.0; escape=“false” alternative to prevent XSS?

Question

In my jsf webapplication i\'m using a messages.properties to output some text. This text could have html line breaks so format the outputtext.

That all works fine, i

Answer 1

It should be possible to just escape the user supplied parameter using the standard jstl functions in the http://java.sun.com/jsp/jstl/functions namespace: