Hello, I have a strange issue, I am trying to track down the root cause for an ancient CVE-2006-1548
http://struts.1045723.n5.nabble.com/DO-NOT-REPLY-Bug-38749-New-XSS-vulnerability-in-LookupDispatchAction-td3510079.html I can replicate the XSS in Tomcat 4.0.6, however in Tomcat 6.0.37 the html characters needed to inject the script are properly encoded, what is the mechanism for this? I haven't been able to determine why ServletException handles the message parameter different between versioning. Can anyone point me in the right direction? Thanks
