Originally by @hesara
It is possible to inject HTML through exception stack messages and stack traces displayed in system error messages. The developer of an application is likely not to take this into account and may inadvertently introduce XSS vulnerabilities in applications through this mechanism.
This vulnerability was discovered by Wouter Coekaerts (http://wouter.coekaerts.be).
Imported from https://dev.vaadin.com/ issue #7671
Reviewed by Leif.
It should be noted that the UserError class now provides separate text and HTML modes for messages. Previously, the text mode permitted HTML even though the documentation specified that the message should be plain text only.
Applications relying on the previous functionality should change to use the CONTENT_XHTML mode instead of the default CONTENT_TEXT mode.
Furthermore, subclasses of InvalidValueException can override getHtmlMessage() to bypass the default escaping of messages.