Unescaped EL Expressions

Reports non-safe data in unescaped EL expressions in JSP pages. Such cases may lead to cross-site scripting (XSS) vulnerability.

The description below uses the term untainted data to refer to safe and trusted data as the opposite of tainted (non-safe, untrusted). See taint checking for more information.

A safe (untainted) object is:

a primitive data type (except char)
a result of a call of a method that is marked as untainted
a result of an escaping function call
a field, which is marked as untainted

The JSP page could have different contexts for provided data, and if data is safe for one context, it is not necessarily mean that it is safe for all. See Cross Site Scripting Prevention Cheat Sheet for some examples. This inspection skips data marked as untainted (safe) in ALL contexts.

This inspection supports the following options to mark methods and fields as safe:

by using any annotation from the configurable list of untainted annotations
by configuring the list of safe methods and fields
all static final fields could be marked as untainted by choosing "Consider static final fields as untainted" option on "Untainted Methods and Fields" tab

This inspection does not highlight places where non-safe data reaches the safe tags in JSP pages. For example, the out tag from the JSTL taglib is secure because it escapes the given value by default. The list of safe tags is configurable (omit tag or attribute value to define a whole range).

"Wrap in JSTL <out> tag" quick fix wraps an EL expression with the JSTL <out> tag.

Before:

${foo}

After:

  <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
  <c:out value="${foo}"/>
  

"Wrap in JSTL escapeXml() function" wraps non-safe value with escapeXml escaping function.

Before:

  <%@ taglib prefix="custom" uri="WEB_INF/custom.tld" %>
  <custom:tag value="${foo}"/>
  

After:

    <%@ taglib prefix="custom" uri="WEB_INF/custom.tld" %>
    <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
    <custom:tag value="${fn:escapeXml(foo)}"/>
  

More quick fixes exist to add selected tags to safe tags or annotate related methods (or fields) with untainted annotation.

It is possible to add custom escape functions (see "Escape functions" tab). Now it contains functions from the JSTL that return a safe value (e.g., a well-known escapeXml function). It does not require defining JSTL functions twice with different namespace URIs. If one of the "http://java.sun.com/jsp/jstl/functions" or "http://java.sun.com/jstl/functions" were used, another one would also be checked. It is also possible to skip an escaping function everywhere by its name. To do so, leave a namespace URI field empty.

Locating this inspection

By ID

Can be used to locate inspection in e.g. Qodana configuration files, where you can quickly enable or disable it, or adjust its settings.

JspUnescapedEl

Via Settings dialog

Path to the inspection settings via IntelliJ Platform IDE Settings dialog, when you need to adjust inspection settings directly from your IDE.

Settings or Preferences | Editor | Inspections | JSP

Inspection options

Here you can find the description of settings available for the Unescaped EL Expressions inspection, and the reference of their default values.

Inspection Details
By default bundled with:	IntelliJ IDEA 2024.2, Qodana for JVM 2024.2,
Can be installed with plugin:	Jakarta EE: Server Pages (JSP), 242.22892

Last modified: 11 September 2024