[CVE-2010-0432] Merged from trunk r920371 Properly encode any error messages before attempting to write them to the response. I'm doing it here to avoid having to do the encoding within each app's error.jsp file, I think this should be fine though.