@zenitraM reported an XSS vulnerability that could be triggered by clicking on links within user comments. When opened, a link pointing to a dynamically generated patch file would be rendered inline as HTML by PJAX. However, the underlying content was not properly escaped for HTML and could lead to XSS.
While exploitation of this vulnerability required user interaction and was prevented by our use of CSP, we still took the threat seriously. We addressed the behavior by only rendering content inline with PJAX if it is received with a proper content type.