Escape template output that reflects request or model data

#Metadata

Rule ID

java.security.template-unescaped-user-output

Severity

high

Confidence

0.8

Languages

java

Presets

security, strict

Stability

experimental

Applies to

block

Tags

java, rules-catalog, security, templates, xss

#Why it matters

Non-escaped template sinks turn reflected input into XSS, which compromises browser sessions and administrative workflows.

#Remediation

Use Thymeleaf `th:text`, avoid raw JSP expressions for request data, and keep FreeMarker auto-escaping on unless a vetted sanitizer wraps dynamic HTML.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.template-unescaped-user-output.rule.yaml.