@adob reported a XSS vulnerability when rendering a maliciously formatted task list. Throughout GitHub.com users can provide markup that is translated to HTML using our “HTML pipeline” before it is rendered and displayed. This pipeline consists of a number of filters, one of which is responsible for translating task lists into HTML. @adob discovered a way to format a task list item so that it would render incorrectly and cause the resulting HTML to be malformed. In combination with using script macros to avoid escaping HTML attribute values, an attacker could inject arbitrary HTML in the rendered result.
While this issue was mitigated by our use of CSP, we still took the threat seriously. We addressed the XSS vulnerability by modifying our task list filter logic to parse task list items more strictly. In addition, we further mitigated this, and potential future issues, by removing support for script macros from our vendored copy of libxml2 that is used by Nokogiri. We have no use for script macros when parsing HTML and it provides a potentially dangerous vector for attackers. While unescaped attribute values are not inherently unsafe, they can be when paired with bugs such as the one in our task list filter.