XSS checking

[der]

Parameters typed as strings (or open) are not checked against XSS injection. Not clear that this is a problem, just make sure not to report parameters on error pages.

[kal]

@der - proposing to close these in favour of updating sapi-nt to support update

[der]

This feels like a very small item that is probably already true and could be closed as done. If not then don't close and and would prioritise above starting on update.

[kal]

@simonoakesepimorphics - adding this to the current iteration as a thing to check and fix if the fix is straightforward to reschedule to an upcoming iteration if it is more involved.