The vulnerability stems from unescaped user input in template rendering. The patch adds _htmlEsc usage across multiple templates (buildinfo.chtml, taskinfo.chtml, etc.), indicating these were vulnerable entry points. The corresponding controller functions in kojiweb.index.* that feed data to these templates would appear in runtime profiles when processing malicious requests. The util._htmlEsc function's addition confirms output encoding was missing in prior versions. Each listed function handles user-controllable data that was reflected in output without proper sanitization.