From 3b15d36d38d9aed8b9b6bf2f147ab7024ce7e548 Mon Sep 17 00:00:00 2001
From: Daniel Naber <dnaber@apache.org>
Date: Mon, 18 Oct 2004 22:30:15 +0000
Subject: [PATCH] document the HTML escape fix for the JSP example

git-svn-id: https://svn.apache.org/repos/asf/lucene/java/trunk@150617 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES.txt | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGES.txt b/CHANGES.txt
index 4fde622983c..56dc5997930 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -102,6 +102,12 @@ $Id$
     low-frequency terms, where the cost of dictionary lookup can be
     significant. (cutting)
 
+23. The JSP demo page (src/jsp/results.jsp) now properly escapes error
+    messages which might contain user input (e.g. error messages about 
+    query parsing). If you used that page as a starting point for your
+    own code please make sure your code also properly escapes HTML
+    characters from user input in order to avoid so-called cross site
+    scripting attacks. (Daniel Naber)
 
 1.4.1