Attaching patch 4a, which should protect the servlet against basic XSS attacks. It also addresses a few non-XSS issues.
o use a safer value for the form action attribute
o write Integer instead of raw String in message
(this was safe in the current implementation, but not good practice)
o escaped strings passed to langUtil.getTextMessage
o made error reporting less verbose when the form parameter is unknown
o added missing ';' in escapeSingleQuotes
o added esacpeHTML
There are no tests for NetServlet, so I have tested it manually.
Patch ready for review.