I have a couple of questions about this control MSOFileTransferButtons.
Why is it in Pega-AppDefinition? I have a number of teams that forked the rule -- possibly because they didn't see the AppDefinition as being in the peroper "foundation" layer, like Pega-UIDesign.
Secondly, it's curious to note that MSOFileTransferButtons is flagged by the Security Analyzer. Well, the Pega version is not, but any forked version in a local ruleset is. This is a problem through v7.1.5, for those of you scoring at home.
<button class='buttonTdButton' onclick="MSODownloadFile('<%= tools.getParamValue("downloadActivity") %>', '<%= tools.getParamValue("otherParamValues") %>','<%= tools.getParamValue("showWarning") %>','<%= tools.getParamValue("warningMessage") %>')" type="button">
Now, this is probably not a huge risk, since parameters to controls are always passed explictly; there's no option to pass the existing parameter page. Still, it probably should be addressed, so as not to show up by any code scanner.