Was wondering whether this would be a potential security risk. I have a java servlet web app and at the bottom of every page, I generate a "report page problem" link which includes the original url request as well as the path to the JSP that the request was forwarded to. The thing is the JSP pages are sometimes in the WEB-INF folder. Is this a potential security risk? As I might be showing the contents of WEB-INF?

It might show that the request was forwarded to

/WEB-INF/views/user/ViewUser.jsp for example.

You could remove part of the path while printing the path and I do not see why users need to know from which jsp the request was forwarded. Otherwise it is not a very big problem as Servlet containers won't serve any content in WEB-INF. By putting your JSPs there, you prevent anyone from directly accessing a JSP by navigating to it in the browser by name.