Comment 11 for bug 2058012

I spoke with Harry and Ian about this. And it seems when designing "label", they did intend that it could contain "programmatic" data. They knew that you would have to map from the label back to some sort of context, and they wanted to make it a little bit easier (so you could use, eg JSON, to encode the context that you wanted to pull out).

So for now, we're just planning on properly escaping our DB queries.

I do think that putting the CSR content as the label is still a bit weird, but as we are intending to have arbitrary encoding supported, we'll go with escaping our queries against Mongodb.