XSS Vunerability when setting Label directly from QueryParameter

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Set a Label with the value of a QueryParameter in an ActivityOperation
2. Generate the application, and insert HTML into the provided QueryParameter, 
e.g. index.php?message=<b>hello<b/>

What is the expected output? What do you see instead?
Expected: The Label is set to &lt;b&gt;...
Actual: The Label is set to <b>...

This represents an XSS vunerability. This should either be a new verification 
technique, or a simple Checks warning, or a property of the metamodel (but this 
is similar to PHP's magic_quotes).

Original issue reported on code.google.com by soundasleep on 21 Jul 2011 at 3:51

[GoogleCodeExporter]

mass tagging old issues to future work

Original comment by soundasleep on 26 Sep 2011 at 9:54

• Added labels: Milestone-Release0.7