The mucdesc parameter of muc-service-edit-form.jsp was reflected unescaped in
the summary view at muc-service-summary.jsp

This was reported by Florian Nivette of Sysdream.

Fixed by escaping on output within muc-service-summary.jsp.

In addition, domain validation was added on input.