Improper Encoding or Escaping of Output
| Property | |
|---|---|
| Language | regex |
| Severity |  |
| CWE | CWE-116: Improper Encoding or Escaping of Output |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Your JSP page is outputting data using Expression Language (EL) without escaping it, which means user-supplied input could be rendered directly into the page as HTML. This creates a risk of cross-site scripting (XSS) if any of the data comes from an untrusted source.
Impact#
If exploited, an attacker could inject malicious scripts into your web pages, potentially stealing user credentials, hijacking sessions, or defacing your site. This exposes both users and the organization to security breaches, data theft, and reputational damage.