Line 708 of flag.views.inc is not properly sanitized, allowing an attacker with administrative privileges, or access to the database, to create a flag that allows XSS.
Chris, thanks for the report. However, the flag module is not part of the www-apps/drupal package and thus Gentoo doesn't ship it. Unless my research was wrong, there's nothing we can do. Otherwise please reopen.