@adob reported a XSS vulnerability in the GitHub API when rendering Markdown with a maliciously formatted attribute value. The GitHub Markdown API allows callers to render Markdown as HTML. The provided Markdown is translated to HTML using our “HTML pipeline” before it is rendered and returned. This pipeline consists of a number of filters, one of which is responsible for “autolinking” URLs into clickable links in the resulting HTML. @adob discovered a way to use the script macros syntax to format an element’s attribute value in a way that caused the autolink logic to incorrectly generate a link and the resulting HTML to be malformed. As a result, an attacker could inject arbitrary HTML in the result.
While this API was never used on GitHub.com, we still took the threat seriously. We addressed the XSS vulnerability by removing support for script macros from our vendored copy of libxml2 that is used by Nokogiri. We have no use for script macros when parsing HTML and it is what caused the autolink logic to parse its input incorrectly.