Detected a Thymeleaf tag that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the ‘th:text’ or ’[[…]]’ to escape this expression.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-116: Improper Encoding or Escaping of Output
OWASP:
- A03:2021 - Injection