The problem is that 'msg' is being passed down to your function, but there is no neutralization of this before it gets used - the string gets uses 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf
I've not used this myself, but I think ErrorMessage gets rendered and displayed in the event of an error. Because this will get rendered on the final page if 'msg' was a naughty snippet of code you are exposing yourself and your users to a security vulnerability.
Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
You should be able to use HtmlEncode to make this safe HttpUtility.HtmlEncode(unencoded);
rev.ErrorMessage = System.web.HttpUtility.HtmlEncode(msg);