Can use special characters and html tag in p:outputLabel without escape false?When escape false is ok.escape= "false" can be xss hole .Is there other way?
Asked
Active
Viewed 459 times
0
-
you should add more background to your question – J3STER Jan 19 '17 at 02:51
-
If a `p:outputLabel` with `escape="false"` works and does what it is intended to do and is used in a way that it is intended to be used, _Why do you need it to work **without** escape="false" then?_ – Kukeltje Jan 19 '17 at 08:44
-
escape="false" can be xss hole. – Pyay Thar Jan 19 '17 at 15:00
-
xss and jsf are completely separate technologies/methods. – Mark W Jan 24 '17 at 08:19
-
see at there http://stackoverflow.com/questions/7722159/csrf-xss-and-sql-injection-attack-prevention-in-jsf – Pyay Thar Jan 24 '17 at 10:44