@EiNSTeiN- reported a reflected XSS vulnerability that existed on the repository issues page on github.com and the user profile page on gist.github.com. User input was passed to the url_for Rails helper responsible for generating some of the links on these pages. While arbitrary HTML content injection was not possible, full control of the href attribute for these links could have been leveraged by an attacker to inject JavaScript (via the javascript: protocol) or link to malicious untrusted third-party sites.

While JavaScript execution was prevented by our use of CSP, we still took the threat seriously. We addressed the behavior by not allowing unsafe url_for arguments to be passed from user request parameters.