Added test case and validation for xss possibility in views

[adam-murray]

Moderation views allowed query string parameters to be passed on to redirect without sanitisation, this PR is the fix and test case for it.