Summary
Comments rendered via v-html without sanitization, enabling stored XSS.
Details
Comments in Comments.vue were parsed by markdown-it with html: true and injected via v-html without DOMPurify. A user with Commenter role can inject arbitrary HTML that executes for all viewers.
Impact
Stored XSS — malicious scripts execute for any user viewing the comment.
Credit
This issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stockli) and @m-y-mo (Man Yue Mo).
Summary
Comments rendered via
v-htmlwithout sanitization, enabling stored XSS.Details
Comments in
Comments.vuewere parsed by markdown-it withhtml: trueand injected viav-htmlwithout DOMPurify. A user with Commenter role can inject arbitrary HTML that executes for all viewers.Impact
Stored XSS — malicious scripts execute for any user viewing the comment.
Credit
This issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stockli) and @m-y-mo (Man Yue Mo).