Right now, continuum is vulnerable for cross-site scripting. See REDBACK-275 and REDBACK-276.
Initial fix for this was implemented in http://jira.codehaus.org/browse/REDBACK-275 (included in 1.2.7)
Latest community issue in Redback for this issue http://jira.codehaus.org/browse/REDBACK-276
Will be revising the validation used in every actions in the continuum to prevent invalid inputs like possible XSS attacks. I will just attach my patch after I'm done.
Will be adding additional validation for every action class' validation.xml and will be using regex to check if the user's input is not a possible XSS attack.
removed fn:escapeXml in r1091974
removed c:out inside <input> tags in r1091990
patch added for XSS vulnerability fixes with UT and Selenium Script
Applied patch in r1096681 with some modifications:
add validation to prevent xss attacks in xmlrpc