1. Create a commit with `&` (or `<` or `>`) in the title. 2. Navigate to the repository browser. 3. Resize below `sm` breakpoint (I use mobile device emulation in Chrome). 4. Click "⋯" button to reveal the full commit title. 5. Note that entities are shown as-is. 6. Do it again but include a reference to an issue, like `#1`. 7. Have another look — it gets worse! <table><tr><td> {width=449 height=535} </td><td> {width=460 height=464} </td></tr></table> `app/assets/javascripts/repository/components/collapsible_commit_info.vue` L132 uses `{{ commit.titleHtml }}` — we should use `v-safe-html` to interpret the HTML here. (It's produced by the backend and is very safe for use with `v-safe-html`.)