diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
index 7ee825866c..6228ba40b9 100644
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
@@ -93,7 +93,11 @@ public class VfUnescapeElRule extends AbstractVfRule {
}
} else {
if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
- addViolation(data, elExpression);
+ final boolean hasUnscaped = doesElContainAnyUnescapedIdentifiers(elExpression,
+ EnumSet.of(Escaping.JSENCODE, Escaping.JSINHTMLENCODE));
+ if (!(jsonParse && !hasUnscaped)) {
+ addViolation(data, elExpression);
+ }
}
}
}
diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
index 915d45ad51..3182902eb4 100644
--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
@@ -605,4 +605,20 @@ JSON.parse method evaluates non quoted EL to unsafe XSS
vf
+
+
+ 0
+
+
+
+]]>
+ vf
+
+
+