Improper Encoding or Escaping of Output
| Property | |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-116: Improper Encoding or Escaping of Output |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Outputting user-controlled data in JSP pages using Expression Language (EL) without proper escaping can allow malicious scripts to be injected into the page. Instead, use the JSTL ‘out’ tag to ensure the output is safely escaped and not vulnerable to cross-site scripting (XSS).
Impact#
If exploited, attackers could inject JavaScript or HTML into your web pages, leading to data theft, session hijacking, or defacement of your site. This can compromise user trust, expose sensitive information, and potentially allow further attacks against your users or infrastructure.