diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java index aaf7ed9bdb..22dadb4405 100644 --- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java +++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java @@ -83,13 +83,13 @@ public class VfUnescapeElRule extends AbstractVfRule { } if (quoted) { // check escaping too - if (!startsWithSafeResource(elExpression) || !containsSafeFields(elExpression)) { + if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) { if (doesElContainAnyUnescapedIdentifiers(elExpression, Escaping.JSENCODE)) { addViolation(data, elExpression); } } } else { - if (!startsWithSafeResource(elExpression) || !containsSafeFields(elExpression)) { + if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) { addViolation(data, elExpression); } } @@ -185,6 +185,7 @@ public class VfUnescapeElRule extends AbstractVfRule { case "urlfor": case "$site": case "$page": + case "$action": return true; } diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml index c326609cb3..9ff45576e7 100644 --- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml +++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml @@ -1,6 +1,20 @@
+ + + 0 +

+	
+
+]]>
+ vf +