Though I don't answer many questions, I am an avid reader of the
questions and solutions posted.
I have a Jersey app that has been run through our corporations website
vulnerability tool. It came back with a vulnerability that is quite
odd. If you send in an Accept header with some script in it is returned
unescaped.