It looks to me like Winstone's default handling of ServletExceptions doesn't "html escape" the exception contents.  At my place of work, we are running Jenkins.  The security folks are on my back because you can pass <script> elements as request parameters get Jenkins to reflect back the script to the browser in the error message.  This is considered a serious XSS vulnerability.  This isn't a problem when Jenkins is run with Tomcat because the exception message is escaped in the error page.

This could be solved in a number of ways.  I'm wondering if this is something you would entertain changing in Winstone itself?  If so, I'm happy to investigate further.  Otherwise, I'll see if the Jenkins developers want to entertain a fix. 


Brian Parker