html not sanitized in issue titles, allowing XSS

Jed Schmidt's Avatar

Jed Schmidt

24 Apr, 2009 06:17 AM

Here's an example:

The title is <script>alert('html needs to be sanitized')</script>, which is actually executed.

  1. 1 Posted by Kyle Neath (Git... on 24 Apr, 2009 05:14 PM

    Kyle Neath (GitHub Staff) 's Avatar

    Hey Jed,

    I think you might have support systems mixed up. This is Tender, the software that powers Github's support site. Try submitting your issue at


  2. Kyle Neath (GitHub Staff) closed this discussion on 24 Apr, 2009 05:14 PM.

  3. Jed Schmidt re-opened this discussion on 24 Apr, 2009 05:18 PM

  4. 2 Posted by Jed Schmidt on 24 Apr, 2009 05:18 PM

    Jed Schmidt's Avatar

    Oops, my bad. Sorry for the distraction!

Discussions are closed to public comments.
If you need help with Tender please start a new discussion.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac