Skip to content

java/lang/security/audit/xss/jsp/use-jstl-escaping: false positive because of wrong regex #3547

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
java/lang/security/audit/xss/jsp/use-jstl-escaping: false positive because of wrong regex#3547
Labels
bugSomething isn't working
@timhemel

Description

@timhemel
timhemel
opened on Jan 15, 2025

Describe the bug

Pattern for java/lang/security/audit/xss/jsp/use-jstl-escaping matches in cases where it should not.

To Reproduce
Sample code to reproduce this behavior.

 <li> item <c:out value="${var}"></li>

Expected behavior
I expect the rule not to trigger, but it does, giving a false positive result.

Priority
How important is this to you?

  • P0: blocking me from making progress
  • P1: this will block me in the near future
  • P2: annoying but not blocking me

Additional Context
The regex uses a negative lookahead pattern, shouldn't this be a negative lookbehind pattern? If so, this can be problematic, since lookbehind patterns can only have a fixed length.

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions