@adob reported an XSS vulnerability that could be triggered by setting HTML content in a user’s profile that would be returned by the GitHub API. This data was subsequently queried by a GitHub web application and inserted unsafely into the DOM using innerHTML. This lead to DOM-based XSS.

While exploitation of this vulnerability only occurred within a static HTML site, with no user session or sensitive information, we still took the threat seriously. We addressed the behavior by replacing DOM manipulation using innerHTML with a safe alternative.