I'm using Java Resource Bundles to manage messages.
I need to display a message in a JSF page and the message also contains some HTML markup. Unfortunately the HTML code is also displayed on screen instead of been rendered as HTML by the browser:
I.E
Click me <a href="link....">here</a>
My message in properties file:
clickme=Click me <a href="link....">here</a>
My JSF:
<h:outputText value="#{messages['clickme']}" />
Any ideas?
Thanks
JSF/Facelets escapes by default HTML special characters in order to prevent XSS attacks when redisplaying user-controlled data. You can turn it off on a per-<h:outputText> basis by explicitly setting the escape attribute to false.
<h:outputText value="#{messages['clickme']}" escape="false" />
You only need to make absolutely sure that you don't do this for unsanitized user-controlled data, which is everything which comes in with a HTTP request such as headers, cookies, parameters, body, etc.