JetBrains Upsource prior to 2019.1.1412 was not properly escaping HTML tags in a code block comments, leading to XSS.
jetbrains upsource