There is no cross site scripting in ViewStatusMessageServletBase. Please describe the attack in some reasonable detail. You can email me directly. In the mean time, I am closing this report as cannot reproduce.