diff -x'*~' -urN hunchentoot-1.1.0/headers.lisp hunchentoot-1.1.0-changed/headers.lisp --- hunchentoot-1.1.0/headers.lisp 2010-01-08 04:00:22.000000000 -0800 +++ hunchentoot-1.1.0-changed/headers.lisp 2010-03-24 19:13:05.000000000 -0700 @@ -157,15 +157,15 @@ ((#.+http-internal-server-error+) content) ((#.+http-moved-temporarily+ #.+http-moved-permanently+) (format nil "The document has moved here" - (header-out :location))) + (escape-for-html (header-out :location)))) ((#.+http-authorization-required+) "The server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials \(e.g., bad password), or your browser doesn't understand how to supply the credentials required.") ((#.+http-forbidden+) (format nil "You don't have permission to access ~A on this server." - (script-name request))) + (escape-for-html (script-name request)))) ((#.+http-not-found+) (format nil "The requested URL ~A was not found on this server." - (script-name request))) + (escape-for-html (script-name request)))) ((#.+http-bad-request+) "Your browser sent a request that this server could not understand.") (otherwise "")) diff -x'*~' -urN hunchentoot-1.1.0/util.lisp hunchentoot-1.1.0-changed/util.lisp --- hunchentoot-1.1.0/util.lisp 2010-01-08 04:00:22.000000000 -0800 +++ hunchentoot-1.1.0-changed/util.lisp 2010-03-24 19:16:35.000000000 -0700 @@ -302,7 +302,7 @@ +implementation-link+ (escape-for-html (lisp-implementation-type)) (escape-for-html (lisp-implementation-version)) - (or (host *request*) (acceptor-address *acceptor*)) + (escape-for-html (or (host *request*) (acceptor-address *acceptor*))) (scan ":\\d+$" (or (host *request*) "")) (acceptor-port *acceptor*)))