From the dbms I get stuff like <font color="red"> abc</font>. When it reaches the ${someManagedBean.someValue} in my xhtml file the output is sanitized. That is great for 99,999% of all cases.
Question: Is there some way to disable this auto escaping?
Bonus Question: Can I only allow html and disallow javascript?
https://docs.oracle.com/javaee/7/javaserver-faces-2-2/vdldocs-facelets/h/outputText.html
escape=false
Not sure about preventing JS only though. You might have to parse the HTML yourself to get rid of <script> and contents.
EDIT - Removed link (http://www.jsftoolbox.com/documentation/help/12-TagReference/html/h_outputText.html) because it was stale. Replaced with Oracle link.
outputFormat tag can help you. Please check http://www.mkyong.com/jsf2/jsf-2-outputformat-example/
