Unescaped EL expressions may lead to cross-site scripting (XSS) vulnerability.

The quick-fix wraps raw a EL expression with the JSTL <out> tag.

Example:

${foo}

After the quick-fix is applied:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:out value="${foo}"/>