I'm interested in what's happening here. Can you provide a link/more info on what the XSS issue is?

(I honestly don't know and would love to learn about this. Thanks)

From what I can see, the issue is fixed now. But simply, someone put html in their useragent, the site copied it as text, and included it as text in the html. The browser then interpreted it as html, and executed the javascript.

The fix is to parse inputs, and replace < and > with html entities. You can see this fix if you read the source for the page.