Is there a standard JSF way or open source library that allows outputting escaped text but _with_ html formatting?

We have the use case that we need to output text that is a combination of static text and dynamic values from the database, the full text is resolved using message properties with language specific static text blocks.

We need to escape the output text to prevent XSS attacks.

However we also need to apply formatting to the full string, for example:

Hello <b>{username}</b>!

This is a pseudo syntax of course, {username} is a variable to be replaced with the real username, the other text is static and defined in a message property (e.g.: "Helloy <b>{0}</b>!").

A normal JSF outputText won't work since it will either escape everything or nothing, thus destroying our formatting.

Note that we can't make a "real" JSF component out of these fragments either since the position and ordering of the variable fields is language dependent (different word order in German vs English for example).

Seam has this comp开发者_高级运维onent called formattedText that deals with this and has an elegant solution. However we don't (and can't) use Seam in our app.

Are there any similar approaches/libraries?

---

Just apply JSTL fn:escapeXml on output parameter.

<h:outputFormat value="#{text['generic.welcome']}" escape="false">
    <f:param value="#{fn:escapeXml(user.name)}" />
</h:outputFormat>