Hi,
There are a few places where Hunchentoot generates HTML which directly include some strings, but the strings are plain-text and not HTML. In some cases you can see that the string can never coincidentally contain HTML or user-supplied input, so that's fine--I haven't touched these. In other cases, the string is determined from user input (at the HTTP level), so there's a danger of XSS attacks at these points.
The chance of a successful attack which exploits these flaws is probably low. In any case, I think Hunchentoot should always correctly encode these user-supplied strings as HTML, since the strings are treated as plain-text and are not already formatted as HTML.
A patch is attached. The changes are minimal and should speak for themselves.
Thanks,