I think that, spring's MessageTag contains a fairly serious security vulnerability.
'Arguments' attribute is internally evaluated in MessageTag using ExpressionEvaluationUtils. If we are using JSP 2.0 then el expressions are potentially evaluated twice: first by JSP engine, second by MessageTag. This can lead to el expression injection (something similar to sql injection).
Consider the following example:
In message bundle we have message:
on our home page!
In JSP we use MessageTag to print this message with user name applied as argument:
<spring:message code="msg,welcome" arguments="$
If malicious user supplies an el expressions instead of his first name, he can gain access to sensitive data.
For example, he can enter $
and gain access to init parameters defined in web.xml.
he can discover server type and some internal server configuration.
Potentially he can discover some other sensitive data accessible by EL expressions.
Additionally EL expressions are not escaped by spring's HtmlUtil.escapeHtml(...).
I think that there should be a way to completely disable EL expression evaluation in MessageTag, because it is not needed when using JSP 2.0 (with builtin el evaluation).