@adob discovered a DOM based XSS vulnerability within the wiki functionality on GitHub.com. By setting an appropriate attribute on an HTML tag, @adob was able to leverage existing GitHub JavaScript to insert arbitrary HTML markup into the DOM. While our CSP policy prevented injection of JavaScript, @adob was able to leverage additional GitHub JavaScript to trigger an event handler that automatically submitted an injected HTML form element.

We addressed the DOM XSS vulnerability by further restricting the allowed attributes for HTML tags in markup. In addition, we are auditing and modifying multiple client and server side components to further reduce the risk associated with injected static HTML (such as forms).