CVE-2017-15911 XSS with domain in setup-host-settings.jsp

This is a bit daft to list as a serious security problem. The setup pages are presumed to be a one-off path by a single administrative user - the only person they could be attacking via this XSS is therefore themselves.

In many respects, I'd rather work on securing the setup process rather than faff about with largely pointless "security" issues like this - on the other hand, it's a slam-dunk for cleaning up a CVE, so I'll close it.