Comment 3 for bug 978980

While I agree that the behavior you describe exists, I'm not sure why it is classified as a security vulnerability worthy of a CVE: what information do you imagine is being disclosed? Surely the same argument could be made for "disclosing" the rendered HTML, too.

FWIW, this behavior is a designed-in feature of ZPT, present from the very earliest checkin.