I am not quite familiar with UI technology. In the code, there is something like following: ${param['xxx']} is the ${} a JSF recognized expression? Or it is a JBOSS SEAM expression since we used SEAM.
– Mr wuAug 20 '13 at 03:48
In JSF, everything is HTML-encoded, unless you explicitly set escape="false" attribute on the tag/component supporting that attribute (such as <h:outputText>).
This thus also covers the value of any <h:inputXxx> component.