Roller 2.3.1: minor release to fix security risk form and licensing issue
*** Fixes for Cross-site Scripting (XSS) vulnerabilities Fixed multiple XSS vulnerabilities. Changes were isoluated in these files: - WEB-INF/lib/rollerweb.jar Now strips HTML from all incoming comment fields - WEB-INF/classes/comments.vm Now HTML-escapes all comment-form fields before display - weblog/CommentManagement.jsp Now HTML-escapes all comment-form fields before display - tags/date.jsp Now HTML-escapes value field of date widget - theme/head.jsp Eliminated the "look" request parameter, which was for debugging only *** Licensing issue with JavaMail and Activation jars The JavaMail and Activation jars (mail.jar and activation.jar) included in Roller 2.3 were licensed under Sun's Binary Code License, which is incompatible with Apache licensing policy. So these jars have been removed from the release and instructions have been added to the Installation Guide that explain how to get them and add them to Roller. Apache Roller 2.3.1 RC1 files are available here: http://people.apache.org/~snoopdave/apache-roller-2.3.1/
