@hughdavenport reported a stored XSS vulnerability on the pull request page. Pull requests for branches with HTML in the name would result in attacker-controlled HTML being injected into the page.

While exploitation of this vulnerability was prevented by our use of CSP, we still took the threat seriously. We addressed the behavior by properly escaping the branch name on the pull request page. A fix for this vulnerability is included in GitHub Enterprise v2.1.6.