Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
It's bit project specific. In our project we have confirmation page where we show only some specific information that user has entered by processing the form data xml and rendering only that specific data on that page. I am rendering that data as html , hence I am facing that issue
This issue was raised by our security team while doing pentest.
From a bit of googling, found that orbeon uses html-cleanup to strip off such characters, but I am not able to call that from my form definition xml