I was just trying the new "flag redaction" feature and noticed that the string '<redacted>' isn't getting properly HTML-escaped in the /varz web page. It appears we've never properly escaped flag values in this context, but it's only obvious now that the '<redacted>' string is getting interpreted as an HTML tag.