bracket-template suffers from reflected XSS possible when variable passed via GET parameter is used in templateReferenceshttps://hackerone.com/reports/317125
