@adob reported an XSS vulnerability that could be triggered by setting HTML content in a user’s profile that would be returned by the GitHub API. This data was subsequently queried by a GitHub web application and inserted unsafely into the DOM using innerHTML
. This lead to DOM-based XSS.
While exploitation of this vulnerability only occurred within a static HTML site, with no user session or sensitive information, we still took the threat seriously. We addressed the behavior by replacing DOM manipulation using innerHTML
with a safe alternative.