XSS vulnerability via filenames in repository

XSS is possible via unescaped filename in git repository, e.g. `<img src=x onerror=alert(1)>`.

![image](https://cloud.githubusercontent.com/assets/6756744/22125616/ad8d7b0c-de94-11e6-88cd-0a430a490ece.png)

Repository with POC: https://github.com/ecneladis/xss_github_vector