JSF please don't escape my html [duplicate]

This question already has an answer here: Component to inject and interpret String with HTML code into JSF page (1 answer) Closed 6 years ago.

From the dbms I get stuff like <fon开发者_开发知识库t color="red"> abc</font>. When it reaches the ${someManagedBean.someValue} in my xhtml file the output is sanitized. That is great for 99,999% of all cases.

Question: Is there some way to disable this auto escaping?

Bonus Question: Can I only allow html and disallow javascript?

---

<h:outputText value="#{someManagedBean.someValue}" escape="false" /> 

---

https://docs.oracle.com/javaee/7/javaserver-faces-2-2/vdldocs-facelets/h/outputText.html

escape=false

Not sure about preventing JS only though. You might have to parse the HTML yourself to get rid of <script> and contents.

---

EDIT - Removed link (http://www.jsftoolbox.com/documentation/help/12-TagReference/html/h_outputText.html) because it was stale. Replaced with Oracle link.

---

outputFormat tag can help you. Please check http://www.mkyong.com/jsf2/jsf-2-outputformat-example/