@ChALkeR discovered that our HTML sanitization library was allowing arbitrary user-controlled
class attributes on
Given the variety of possible impacts of user-controlled
class attributes, we worked under the assumption that this bug’s impact was the same as CSRF. We identified that the bug was a regression introduced several months ago. During our investigation, we found a similar regression affecting another element. We addressed the vulnerabilities by removing the
class attribute from the HTML sanitization whitelist for the affected elements. We have added integration and linting tests to ensure that similar bugs are not introduced and that changes to these whitelists receive further scrutinty from our security team in the future.
@ChALkeR reported that titles of private issues and pull requests could be disclosed by editing comments made by other users. If a user posted a comment to a repository, an administrative user of that repository could edit their comment and disclose titles using the permissions of the original commenting user. We fixed this issue by changing how tooltips for cross-reference links are resolved and cached.