@bitquark reported a reflected self-XSS vulnerability that existed within our organization creation page. If the organizaton name contained HTML markup and the submitted coupon code was invalid, the unescaped organization name was used in the response.

While this was a reflected self-XSS vulnerability that was also mitigated by our use of CSP, we still took the threat seriously. We addressed the behavior by properly escaping the organization name. In addition, we refactored the shared template logic to reduce the chance that a similar vulnerability will occur elsewhere.