a4j:htmlCommandLink doesn't encode its value -------------------------------------------- Key: RF-3916 URL: http://jira.jboss.com/jira/browse/RF-3916 Project: RichFaces Issue Type: Bug Affects Versions: 3.1.2 Reporter: Lars Koedderitzsch Priority: Critical a4j:htmlCommandLink doesn't encode its value - which opens a door for malicious attacks against RichFaces applications, e.g. the injection of scripts. The bug is also present in 3.2.1. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira