PrimeFaces Extensions Showcase

EscapeSanitizerComponentListener

System event listener that sanitizes HTML content in components with escape="false". This helps prevent XSS vulnerabilities while still allowing some HTML formatting using an OWASP Java HTML Sanitizer PolicyFactory. See also Sanitizing Converter

pom.xml

<dependency>
     <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
     <artifactId>owasp-java-html-sanitizer</artifactId>
     <version>20240325.1</version>
</dependency>

faces-config.xml

<application>
    <system-event-listener>
        <system-event-listener-class>org.primefaces.extensions.application.EscapeSanitizerComponentListener</system-event-listener-class>
        <system-event-class>jakarta.faces.event.PostAddToViewEvent</system-event-class>
        <source-class>jakarta.faces.component.html.HtmlBody</source-class>
    </system-event-listener>
</application>

PrimeFaces: 15.0.5,

PrimeFaces Extensions: 16.0.0-SNAPSHOT,

JSF: Apache MyFaces JSF-2.3 Core Impl 2.3.10,

Server: Apache Tomcat (TomEE)/9.0.82 (8.0.16),

Build time: 2025-06-13 20:31