In my current work, I have discovered many web application using the CookieLocaleResolver and as a consequence vulnerable to reflected cross-site scripting attacks.
I'm not sure if it is a Spring MVC flaw and the exact affected release.
*EDIT*: It concerns Spring Web MVC and NOT Spring ROO but I cannot find the related component.
Find below a real-world HTTP request and response extracted from a internal web application:
Please find enclosed a Maven project including a Junit test with spring-webmvc and spring-test 3.2.0.RELEASE.
Omar EL MANDOUR