@zlamma discovered that potentially malicious markup was not being escaped when placed before autolinked issue references in commit messages. Commit messages are passed through our “HTML pipeline” before being rendered and returned, similar to what is done for our Markdown in issue bodies and comments. This pipeline consists of a number of filters, one of which is responsible for “autolinking” URLs into clickable links. Even though all input passes through a sanitization filter, which removes or escapes non-whitelisted content, the raw, unescaped, text of a previous node was fetched and reinserted into the HTML without further sanization.

While exploitation of this vulnerability was prevented by our use of CSP, we still took the threat seriously. We addressed the behavior by properly escaping the text being reinserted. We also went back and audited the “HTML pipeline” for any other instances where text is dangerously reinserted back into the HTML after being sanitized.