@yujikosuga reported a persistent XSS vulnerability that existed on an organization’s profile page. If an organization configured their public email address to contain HTML markup, the unescaped HTML was used on the organization’s profile page.

While exploitation of this vulnerability was prevented by our use of CSP, we still took the threat seriously. We addressed the behavior by properly escaping the email address.