Rule parameters are not properly HTML escaped when shown in the "Edit rule" page.
This results in HTML code which looks like:
Which has two side-effects:
- The interface is not usable in every situation (for example for writing XPath queries)
- It allows XSS injection
The current workaround is to edit rule parameters on the previous page one by one, and use the "Update" button for each of them.