Proper escaping for values added to attributes in JSP. #20
Description
Especially in the edit pages, it is possible to have an expression like:
value="<%=foo%>"
where foo is a string value that contains a " character. This needs to be escaped, changed to ". There might be other cases to worry about. I should review the JSP templates and make sure things are properly encoded.