Jan Hutař of Red Hat reports:
When I create environment with HTML (like '<script>alert("hello")</script>')
in name is not escaped properly on some pages when printing it and so might
mean XSS attack possibility.
This was actually fixed prior to GA:
Was reported on: Satellite-6.0.3-RHEL-6-20140313.0
GA release: Satellite-6.0.4-RHEL-6-20140908.0
So this only affected a beta version of Satellite 6. Closing this as CURRENTRELEASE.