The exampleURLPrefix variable given to the single-xml-header.vm or searchrequest-xml-header.vm comes from the current url (see IssueXMLView.java & SearchRequestXMLView) and is not xml encoded before being included in the response. Browsers such as firefox and chrome in my testing both uri encode query parameters of a url/link. However, Internet explorer(tested against version 11) does not url encode query parameters. This means that a url like

https://$domain/si/jira.issueviews:issue-xml/DESK-2/DESK-2.xml?//--><html><body>hi</body>;<!-- 

can result in injected html content in response.