Edit: This bug has been confirmed fixed in Domino 8.5.1 FP1.
I just read this in my daily RSS roundup.
Add a + after .xsp in the address field of your browser results in the source code of the current XPage being printed to the browser (click above link for screenshot or try for yourself). It's not sure how I feel about this. In most cases it won't be a security issue, but still..