The value of "lang" attribute which <html:html> tag generates is not escaped. I think it could cause XSS problem If Accept-Language HTTP header's value is replaced with <script> tag.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]