@adob discovered a DOM based XSS vulnerability in GitHub.com. By setting an appropriate attribute on an HTML tag, @adob was able to leverage existing GitHub JavaScript to insert arbitrary HTML markup into the DOM. In addition, @adob was able to exploit a Chrome browser bug to bypass our Content Security Policy (CSP) policy. These two bugs, in combination, would allow execution of user-controlled JavaScript on GitHub.com.

While this XSS was browser specific, Chrome is the most popular browser on GitHub.com. We addressed the DOM XSS vulnerability by further restricting the allowed attributes for HTML tags in markup. In addition, we have modified our CSP policy to work around the bug in Chrome.