It was discovered that Mojarra, an implementation of JavaServer Faces, evaluates untrusted values as EL expressions if includeViewParameters is set to true.