Add XSS protection

[GoogleCodeExporter]

My app failed a penetration test because of XSS vulnerabilities in Java Melody.
Particulary, URL parameters such as SessionID are output to HTML unescaped, 
which allows the injection of malicious javascript 
All variables or parameters should be HTML and/or URL encoded when output to 
HTML pages.

Original issue reported on code.google.com by jon.ner...@gmail.com on 10 Sep 2012 at 4:53

[GoogleCodeExporter]

Can you give more details about this, including the different cases if you have?
You can certainly send it in private to me (evernat _at_ free.fr).

Original comment by evernat@free.fr on 10 Sep 2012 at 10:39

[GoogleCodeExporter]

This is now fixed and ready for the next release (1.41).

If you do not want to wait for the release, I have made a new build of the jar 
file, and of the war of the collect server, including the fix:
http://javamelody.googlecode.com/files/javamelody-20120916.jar
http://javamelody.googlecode.com/files/javamelody-20120916.war

If the optional collect server is used, then using this new war of the collect 
server is certainly enough to fix the issue.

Thanks

Original comment by evernat@free.fr on 16 Sep 2012 at 10:16

• Changed state: Fixed

[GoogleCodeExporter]

The fix is included in the v1.41 release, which is now available at:
https://code.google.com/p/javamelody/downloads/list

Original comment by evernat@free.fr on 1 Oct 2012 at 8:44