@arjunv reported a reflected self-XSS vulnerability that existed within our organization creation page. When an invalid organizaton name is provided, the properly escaped name is used in several locations in the response. This is correct behavior and generally prevents against XSS. However, one HTML attribute value that contained the invalid organization name was not quoted. As a result, an invalid organization name with a space in it would have allowed an attacker to create additional HTML attributes, such as a JavaScript event handler. While this was mitigated by our use of CSP, we still took the threat seriously. We addressed the behavior by properly quoting the attribute value.