Is the Primefaces p:editor safe to use?


I mean, the primefaces p:editor uses html to structure the text, so I have to set the escape attribute of h:outputText to false, to show the output without html tags.

I was trying to play around a bit with this component, and entered the following a javascript:

<script>
    $(document).ready(function(){
        $("div").text("haha");
    })
</script>

The output was the same (I got a simple text, no js execution) till I turned on the option 'Show Source' and entered the same. Now when I was trying to display the text, te javascript was executed and ruined the page.

So my question would be: Is there a vulnerability in my approach, implementation, usage of this component; or the p:editor is so vulnerable? Should I use a simple textarea instead, or is there a way to turn remove this option from the editor?

you can disable any control of the editor by the attribute "controls"

http://courses.coreservlets.com/Course-Materials/pdf/jsf/primefaces/users-guide/p-editor.pdf

bold • italic • underline • strikethrough • subscript • superscript • font • size • style • color • highlight • bullets • numbering • alignleft • center • alignright • justify • undo • redo • rule • image • link • unlink • cut • copy • paste • pastetext • print • source • outdent • indent • removeFormat

You can use any of the above keywords to specity which controls you want

eg :