If an application uses spring-webmvc and a velocity view resolver and have used #springbind everywhere then html will be escaped but velocity will not.
Example exploit text:
I can't find any info on how to velocity escape the input. Velocity itself doesn't seem to provide a velocity escaper (it provides html/sql etc). Does one exist or must a custom one be written?
The point to change would seem to be the #springbind definition in spring.vm