diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
index 486bd82e81..8ad7a53a58 100644
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
@@ -75,8 +75,10 @@ public class VfUnescapeElRule extends AbstractVfRule {
private void processElInScriptContext(ASTElExpression elExpression, ASTText prevText, Object data) {
boolean quoted = false;
+ boolean jsonParse = false;
if (prevText != null) {
+ jsonParse = isJsonParse(prevText);
if (isUnbalanced(prevText.getImage(), '\'') || isUnbalanced(prevText.getImage(), '\"')) {
quoted = true;
}
@@ -90,12 +92,21 @@ public class VfUnescapeElRule extends AbstractVfRule {
}
}
} else {
- if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
+ if (!(jsonParse || startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
addViolation(data, elExpression);
}
}
}
+ private boolean isJsonParse(ASTText prevText) {
+ if (prevText.getImage().endsWith("JSON.parse(") || prevText.getImage().endsWith("jQuery.parseJSON(")
+ || prevText.getImage().endsWith("$.parseJSON(")) {
+ return true;
+ }
+
+ return false;
+ }
+
private boolean isUnbalanced(String image, char pattern) {
char[] array = image.toCharArray();
diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
index cd698c2bca..b0757b5234 100644
--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
@@ -557,6 +557,7 @@ Safe unquoted followed by safe quoted
]]>
vf
+
vf
+
+
+ 0
+
+
+
+]]>
+ vf
+