On the error page when Hyperic allows the user to see a stack trace, the application outputs the stack trace verbatim without running it through a sanitizer. For instance, one line of a recent stack trace I had has the line:
The <init> in this only shows up in an HTML View Source, not in the browser window. This is because the browser is interpreting this as a tag! Luckily that's not a tag that causes any issues, but naturally there could be anything in there from something that would mess up rendering to a potential security vulnerability via a XSS attack.
Java should have some native web sanitizers this can be (needs to be!) streamed through.