simply calling
http://localhost:8888/rest/%3Cscript%3Ealert(1)%3C/script%3E
results in an alert()
Calling the URI in the description now escapes the HTML and the message returned is:
https://github.com/lucee/Lucee/commit/8f5d5901c1d320f2fcd7e7298dec01aa17cccd67