fixed 6.1.22 thanks We don't ship the test WebApps enabled by default (from what I can gather, it seems we don't ship them at all) and this new version fixes the remaining XSS vulnerabilities (I double checked the fix is in). This bug will be closed when the new version gets uploaded.