Inspectopedia Help

Unescaped EL Expressions

Reports non-safe data in unescaped EL expressions in JSP pages. Such cases may lead to cross-site scripting (XSS) vulnerability.

The description below uses the term untainted data to refer to safe and trusted data as the opposite of tainted (non-safe, untrusted). See taint checking for more information.

A safe (untainted) object is:

  • a primitive data type (except char)

  • a result of a call of a method that is marked as untainted

  • a field, which is marked as untainted

The JSP page could have different contexts for provided data, and if data is safe for one context, it is not necessarily mean that it is safe for all. See Cross Site Scripting Prevention Cheat Sheet for some examples. This inspection skips data marked as untainted (safe) in ALL contexts.

This inspection supports the following options to mark methods and fields as safe:

  • by using any annotation from the configurable list of untainted annotations

  • by configuring the list of safe methods and fields

This inspection does not highlight places where non-safe data reaches the safe tags in JSP pages. For example, the out tag from the JSTL taglib is secure because it escapes the given value by default. The list of safe tags is configurable (omit tag or attribute value to define a whole range).

"Wrap in JSTL <out> tag" quick fix wraps an EL expression with the JSTL <out> tag.

Before:

${foo}

After:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <c:out value="${foo}"/>

"Wrap in JSTL escapeXml() function" wraps non-safe value with escapeXml escaping function.

Before:

<%@ taglib prefix="custom" uri="WEB_INF/custom.tld" %> <custom:tag value="${foo}"/>

After:

<%@ taglib prefix="custom" uri="WEB_INF/custom.tld" %> <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> <custom:tag value="${fn:escapeXml(foo)}"/>

More quick fixes exist to add selected tags to safe tags or annotate related methods (or fields) with untainted annotation.

Inspection options

Option

Type

Default

TabSet

None

Safe Tags

Tab

None

Safe tags

Table

None

Namespace

TableColumn

[http://java.sun.com/jsp/jstl/core]

Tag

TableColumn

[out]

Attribute

TableColumn

[value]

Safe tags for quick fix

Table

None

Namespace

TableColumn

[http://java.sun.com/jsp/jstl/core]

Tag

TableColumn

[out]

Attribute

TableColumn

[value]

Suggest JSTL escapeXml() as fix

Checkbox

true

Untainted Annotations

Tab

None

Untainted annotations

StringList

[org.checkerframework.checker.tainting.qual.Untainted, javax.annotation.Untainted]

Untainted annotations for quick fix

StringList

[org.checkerframework.checker.tainting.qual.Untainted, javax.annotation.Untainted]

Untainted Methods and Fields

Tab

None

Untainted methods

Table

None

Class Name

TableColumn

[]

Method Name Regex

TableColumn

[]

Untainted fields

Table

None

Class Name

TableColumn

[]

Field Name

TableColumn

[]

Inspection Details

Available in:

IntelliJ IDEA 2023.3, Qodana for JVM 2023.3

Plugin:

Jakarta EE: Server Pages (JSP), 233.SNAPSHOT

Last modified: 13 July 2023
Tag library descriptor inspection Unhandled Exception in JSP