When using the CQLSearchService the response returned is inconsistently escaped. If using the highlight strategy, the body content is escaped and the title is not.

In addition, the actual characters escaped is inconsistent, For example, & lt; should be escaped to & amp;lt; but isn't, while < is correctly escaped to & lt;.

This seems like it would result in an XSS issue, but it appears to be ok in Confluence search.