Logic bug fix

pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java

@@ -83,13 +83,13 @@ public class VfUnescapeElRule extends AbstractVfRule {
         }
         if (quoted) {
             // check escaping too
-            if (!startsWithSafeResource(elExpression) || !containsSafeFields(elExpression)) {
+            if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
                 if (doesElContainAnyUnescapedIdentifiers(elExpression, Escaping.JSENCODE)) {
                     addViolation(data, elExpression);
                 }
             }
         } else {
-            if (!startsWithSafeResource(elExpression) || !containsSafeFields(elExpression)) {
+            if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
                 addViolation(data, elExpression);
             }
         }
@@ -185,6 +185,7 @@ public class VfUnescapeElRule extends AbstractVfRule {
                 case "urlfor":
                 case "$site":
                 case "$page":
+                case "$action":
                     return true;
 
                 }

pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml

@@ -1,6 +1,20 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <test-data>
 
+ 	<test-code>
+		<description><![CDATA[
+No XSS in safe commands quoted context
+     ]]></description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+<apex:page>
+	<script>
+	window.location.href = '{!URLFOR($Action.zqu__Quote__c.Submit, QuoteId, [retURL=QuoteId])}';
+	</script>
+</apex:page>
+]]></code>
+		<source-type>vf</source-type>
+	</test-code> 
  	<test-code>
 		<description><![CDATA[
 Unquoted EL in script tag is an XSS