@adob reported an XSS vulnerability that could be triggered by setting HTML content in a user’s profile that would be returned by the GitHub API. This data was subsequently queried by a GitHub web application and inserted unsafely into the DOM using
innerHTML. This lead to DOM-based XSS.
While exploitation of this vulnerability only occurred within a static HTML site, with no user session or sensitive information, we still took the threat seriously. We addressed the behavior by replacing DOM manipulation using
innerHTML with a safe alternative.