SonarQube Version 9.1.0.47736
doesn’t seam to take into account the fn:escapeXml() function for evaluating the “Potential XSS in JSP” rule :
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
<c:set var="str" value="This <em>is a String</em>"/>
Test : <b>${ fn:escapeXml(str) }</b>
triggers the Security rules, whereas fn:escapeXml() prevents all XSS
And I have a HUGE codebase using fn:escapeXml()
Hi Thomas and welcome to the community!
You are right that this should be a sanitizer for XSS (and XML injection). I will create a ticket for this, thanks for the report!
Just a small note: it prevents a majority of XSS but not necessarily all. It depends on the HTML context where the user input ends up in. For example, this is not great:
<script>${ fn:escapeXml(str) }</script>
well indeed. But with
<script>${ fn:escapeXml(str) }</script>
you just cannot prevent XSS 
I meant outside a <script> element, you cannot generate a <script> element if you use ${ fn:escapeXml(str) }
In my opinion, putting user input into a script tag is always a bad idea. But I have seen it often in the following form:
<script>
var foo = '{{ str }}';
</script>
Some systems provide encoders to turn every character into hex which could make this secure. A much more elegant solution is to put it in a data attribute and then use JavaScript to read it out though. This way the normal HTML encoding can be used.
@Hendrik_Buchwald any news about the ticket you have created on this issue ?
Hi Thomas,
So far it was not implemented. I have pinged the team, they said they want to try to solve it in March.