I'm using rich:fileUpload in my application on redhat when I try to upload any file containing html code in file name i.e "file<img src=sam onerror=alert('poseidon')>Name.pdf", it gives me javascript alert before uploading the file. I tried it on live demo and found the same issue there as well. How can I restrict/escape execution of html/script or XSS in file name on redhat?

You can try it yourself by following steps on redhat.

• Create a file with name like: "file<script>.pdf"  for example: "file<img src=shivam onerror=alert(document.domain)>Name.pdf"
• Access rich:fileUpload demo on richfaces showcase using below url.
• Upload file and you will see a javascript alert.

I want to filter that out to prevent javascript from getting executed.