This file should display as plain text, NOT HTML.
This file is sent to your browser as:
Content-Type: text/plain
If you get an alert box, then you are open to XSS from any web application that uses text/plain as protection (which is perfectly legitimate).