JSP expressions (using <%= ... %>) have been deprecated because they:

JSP Standard Tag Library (JSTL) and Expression Language should be used instead, enabiling the adoption of the model-view-controller (MVC) design pattern which reduces the coupling between the presentation tier and the business logic.

Noncompliant Code Example

<input type="text" name="foo" value="<%= request.getParameter("foo") %>" />

Compliant Solution

<input type="text" name="foo" value="${fn:escapeXml(param.foo)}" />