Unescaped EL Expressions
Reports non-safe data in unescaped EL expressions in JSP pages. Such cases may lead to cross-site scripting (XSS) vulnerability.
The description below uses the term untainted data to refer to safe and trusted data as the opposite of tainted (non-safe, untrusted). See taint checking for more information.
A safe (untainted) object is:
a primitive data type (except
char
)a result of a call of a method that is marked as untainted
a result of an escaping function call
a field, which is marked as untainted
The JSP page could have different contexts for provided data, and if data is safe for one context, it is not necessarily mean that it is safe for all. See Cross Site Scripting Prevention Cheat Sheet for some examples. This inspection skips data marked as untainted (safe) in ALL contexts.
This inspection supports the following options to mark methods and fields as safe:
by using any annotation from the configurable list of untainted annotations
by configuring the list of safe methods and fields
all static final fields could be marked as untainted by choosing "Consider static final fields as untainted" option on "Untainted Methods and Fields" tab
This inspection does not highlight places where non-safe data reaches the safe tags in JSP pages. For example, the out
tag from the JSTL taglib is secure because it escapes the given value by default. The list of safe tags is configurable (omit tag
or attribute
value to define a whole range).
"Wrap in JSTL <out> tag" quick fix wraps an EL expression with the JSTL <out>
tag.
Before:
After:
"Wrap in JSTL escapeXml() function" wraps non-safe value with escapeXml
escaping function.
Before:
After:
More quick fixes exist to add selected tags to safe tags or annotate related methods (or fields) with untainted annotation.
It is possible to add custom escape functions (see "Escape functions" tab). Now it contains functions from the JSTL that return a safe value (e.g., a well-known escapeXml
function). It does not require defining JSTL functions twice with different namespace URIs. If one of the "http://java.sun.com/jsp/jstl/functions" or "http://java.sun.com/jstl/functions" were used, another one would also be checked. It is also possible to skip an escaping function everywhere by its name. To do so, leave a namespace URI field empty.
Locating this inspection
- By ID
Can be used to locate inspection in e.g. Qodana configuration files, where you can quickly enable or disable it, or adjust its settings.
JspUnescapedEl- Via Settings dialog
Path to the inspection settings via IntelliJ Platform IDE Settings dialog, when you need to adjust inspection settings directly from your IDE.
Inspection options
Here you can find the description of settings available for the Unescaped EL Expressions inspection, and the reference of their default values.
Inspection Details | |
---|---|
By default bundled with: | |
Can be installed with plugin: | Jakarta EE: Server Pages (JSP), 243.23126 |