Run attached sample and paste the following line in the edit field:
XSSStored<script>alert(1)</script>
This script will run as soon as you leave the edit field.
Are we as developers responsible to make sure this kind of input is not allowed, or is this something that Servoy should/can fix?