If you use Litespeed HTTP server, you may not be aware of an XSS bug that exists in the core files, namely the file listing file located in /_autoindex/default.php. An example attack would be
_autoindex/default.php/<script>alert(1)</script>
To patch this, just add this on line 346:
$uri = htmlentities($uri);
Bam.
