Consider removing /webapps/examples/jsp/source.jsp to reduce the attack surface. It doesn't appear to be used anymore since source code is now presented in HTML files using txt2html.
I don't think there is much of a security argument for removing this JSP since it can only expose source code for files that are in the examples app and all that source is already publicly available. However, I am strongly in favour of removing this (and the associated tag) on the grounds it is no longer used.
Fixed in: - trunk for 9.0.15 onwards - 8.5.x for 8.5.38 onwards - 7.0.x for 7.0.93 onwards Thanks for the report.