Reported via security mailing list by Luke Arntson:
When submitting a request to one of the unauthenticated JSP pages of OpenFire, it is possible to inject arbitrary HTML that will reflect back to a user. An attacker can use this to steal session credentials, run malicious code on a client's browser, and many other harmful issues related to malicious HTML.
Steps to reproduce:
1. Load up an instance of OpenFire 4.0.x
2. Navigate to the following url in Firefox:
The setup-admin-settings_test.jsp page should sanitize all input variables, and ensure that the output is sanitized as well.