It has been reported (thanks to Kamaljeet Kumar Sharma) that the default error templates in the used framework (in our case, CodeIgniter) are subject to XSS attacks.

We have now edited these templates to use htmlentities for output, even though this will make the output look 'ugly' and print, instead of use for formatting, the HTML codes.

We feel this sacrifice is required to eliminate the further possibility of additional XSS vulnerabilities where an error is caused.

You can update your four error templates if this is a large concern for you.

The files are on github at https://github.com/Opmantek/open-audit/tree/master/code_igniter/application/errors