XSS in filterpane:filterPane #72
Description
At least when using formMethod="get", it is possible to pass HTML in the $param.op url parameter and have it executed as it is not escaped.
Tested on version 2.5.0 (branch "grails-2"), grails v. 2.5.5.
Pull request follows.