@glittershark reported an XSS vulnerability that could be triggered by clicking on links to patch files in the “ProTip” displayed in the footer of PRs. If a patch contained HTML markup, the unescaped HTML would be inserted into the DOM unescaped when the “ProTip” link was clicked by a user.

While exploitation of this vulnerability required user interaction and was prevented by our use of CSP, we still took the threat seriously. We addressed the behavior by properly handling links to patch files and only serving them with their intended content type. Additionally, we continue work to move unescaped user-supplied content off of the github.com domain, regardless of their served content type.

No patches for this issue are required for existing GitHub Enterprise releases. The functionality that introduced this issue was not present in any GitHub Enterprise release.