[Harmeet] > There are a few places in ofbiz where allow-html="any" is specified.
[David] Do you have any specific instances of this you have noticed? doing search on allow-html="any" gave me the following services sendInvoicePerEmail createEmailContent updateEmailContent persistDataResourceAndData createCommunicationEventInterface sendMail sendMailFromUrl sendMailFromScreen prepareNotificationInterface sendNotificationInterface Entire security is as good as weakest link in chain. so you may want to remove them. Harmeet
