JSF 2.0; escape=“false” alternative to prevent XSS?

Question

In my jsf webapplication i\'m using a messages.properties to output some text. This text could have html line breaks so format the outputtext.

That all works fine, i

Answer 1

XSS can't happen if you're outputting some HTML from a safe source which is not input or editable by the user. You can safely use escape="false" in this case.