I incorporated the XSS fixes below into Roller 3.1, so now we have RC7
- WEB-INF/lib/roller-web.jar Now strips HTML from all incoming comment fields - WEB-INF/velocity/weblog.vm Now HTML-escapes all comment-form fields before display - WEB-INF/jsps/authoring/CommentManagement.jsp Now HTML-escapes all comment-form fields before display - WEB-INF/jsps/tiles/head.jsp Eliminated the "look" request parameter, which was for debugging only - roller-ui/widgets/date.jsp Now HTML-escapes value field of date widget RC change list is here: http://cwiki.apache.org/confluence/display/ROLLER/Testing+Roller+3.1 Release files are here: http://people.apache.org/~snoopdave/apache-roller-3.1/ Please download, do some sanity testing and vote. - Dave