Websphere Portal version 7 provides a Cross-Site-Scripting protection mechanism that encodes the "<" and ">" during form post. This protection mechanism is turned on by default. As a consequence, the request values passed to the portlet processAction method are encoded values. e.g. "<" for "<" and ">" for ">", thus a Html unescape call is required to retrieve the original input values.
To disable the Cross-Site-Scripting protection, the security.css.protection service configuration property value needs to be set to false using procedure described in http://www-10.lotus.com/ldd/portalwiki.nsf/dx/Setting_service_configuration_properties_wp7.
