@adob reported a persistent XSS vulnerability that existed within our contributors graph page. If the the default branch name for a repository contained HTML markup, the unescaped branch name was used on the contributors graph page.

While exploitation of this vulnerability was prevented by our use of CSP, we still took the threat seriously. We addressed the behavior by properly escaping the branch name.