XSS vulnerability when <c:url> and <c:param> value is injected into a JavaScript string literal

Question

My static analyzer has flagged the following XSS error. I would like to understand if it is possible to inject malicious code into this parameter, to cause the injected value to be interpreted as JavaScript (possibly by prematurely terminating the JavaScript string literal), or to cause the injected value to redirect to somewhere other than the intended destination with a value that is refused by the server.

<c:url var="myUrl" value="/somepage.jsp">
  <c:param name="myParam" value="${param.userSuppliedParameter}"/>
</c:url>

<script type="text/javascript">
  <!--
    document.location = "${myUrl}";
  //-->
</script>

It is noteworthy that the server will properly handle the redirect URL in cases where the url parameter is simply altered and additional URL parameters will be ignored. I am chiefly interested in determining if an attacker could inject executable JavaScript into this page using the userSuppliedParameter URL query param, and if it is possible for an attacker to get the document.location to be evaluated as anything other than /somepage.jsp with any arbitrary URL parameters. For example: http://foo.com/bar.jsp?userSuppliedParam=SOME_POTENTIALLY_MALICIOUS_PAYLOAD. I am not concerned about values getting injected into the destination page, or the way the destination page will interpret the URL.

<c:url> should URL encode the URL parameters, which would prevent someone from adding an '@' symbol, which would otherwise cause preceding characters to be interpreted as basic authentication parameters. This would otherwise expose an open redirect vulnerability.

<c:url> should also encode double quotes, which would prevent someone from terminating the JavaScript string literal.

I am basing my assumptions about url encodings on the RFC and the JavaDoc for URLEncoder.

Any other possible abuse?

Answer 1

The consensus is that this is a false positive. I'll update this, if I find a potential vulnerability.