As well as a number of XSS bugs which were recently fixed in CONF-22568, the JSPs contained in Confluence don't support the same XSRF protection which our actions use.

We should convert this functionality over to actions and only use JSPs to deliver patches to customers, not for proper functionality.

When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in our JSPs.