compare: prevent XSS due to unescaped branch/tag/bookmark names In the revision selection dropdown of the 'Compare' functionality, the branch/tag/bookmark names were not correctly escaped. This means that if an attacker is able to push a branch/tag/bookmark containing HTML/JavaScript in its name, then that code would be evaluated. This is a cross-site scripting (XSS) vulnerability. Fix the problem by correctly escaping the branch/tag/bookmarks.