[OmniFaces utilities 2.0] Write the given text either HTML-escaped or unescaped

---

[OmniFaces utilities] The writeText() method writes the given text either HTML-escaped or unescaped. Beware of potential XSS attack holes when user-controlled input is written unescaped!

---

Method:

Usage:

Markup to be displayed escaped/un-escaped (render an Internet Explorer (IE) conditional comment):

<!--[if lte IE 9]><link rel="stylesheet" href="#{resource['default:css/ie.css']}" /><![endif]-->

Escaped markup (XSS attack protected):

import org.omnifaces.util.Renderers;

...

@Override

public void encodeBegin(FacesContext context) throws IOException {

 ResponseWriter writer = context.getResponseWriter();

 ...

 Renderers.writeText(writer, this, "<!--[if lte IE 9]><link rel="stylesheet" href="
           #{resource['default:css/ie.css']}" /><![endif]-->", true);

 ...

}

Page source code:

<!--[if lte IE 9]><link rel="stylesheet" href="#{resource['default:css/ie.css']}" /><![endif]-->

On screen:

<!--[if lte IE 9]><link rel="stylesheet" href="#{resource['default:css/ie.css']}" /><![endif]-->

Un-escaped markup (potential XSS attack hole):

import org.omnifaces.util.Renderers;

...

@Override

public void encodeBegin(FacesContext context) throws IOException {

 ResponseWriter writer = context.getResponseWriter();

 ...

 Renderers.writeText(writer, this, "<!--[if lte IE 9]><link rel="stylesheet" href="
           #{resource['default:css/ie.css']}" /><![endif]-->", false);

 ...

}

Page source code:

<!--[if lte IE 9]><link rel="stylesheet" href="#{resource['default:css/ie.css']}" /><![endif]-->

On screen:

<!--[if lte IE 9]><link rel="stylesheet" href="#{resource['default:css/ie.css']}" /><![endif]-->

Note For cases as above you can rely on OmniFaces, ConditionalComment component.

API GH