How do you handle the case where you want user input from a form to be htmlEscape'd when you are binding to a command object? Looks like I'm going to override createBinder in my controller and return my own subclass of ServletRequestDataBinder which simply overrides the bind method and simply htmlEscapes the MutablePropertyValues. A simple implementation would escape every request parameter. Perhaps a little inefficient but oh well. Any ideas?