Use a HTML parser which supports HTML filtering against a whitelist like Jsoup. Here’s an extract of relevance from its site.
Sanitize untrusted HTML
Problem
You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.
Solution
Use the jsoup HTML
Cleaner
with a configuration specified by aWhitelist
.String unsafe = "<p><a href="http://example.com/" onclick='stealCookies()'>Link</a></p>"; String safe = Jsoup.clean(unsafe, Whitelist.basic()); // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>
And then to display it with whitespace preserved, apply CSS white-space: pre-wrap;
on the HTML element where you’re displaying it.
No all-in-one JSF component comes to mind.