As Paul, I've stumbled upon this when using a tick (') in the search box at xwiki.org. It appears to be resolved on the dev version, but you really should backport the fix to xwiki.org as it is a serious security threat. Pablo