denschub
commented
1 year ago @openrefactory whatever you're trying to do, stop. You're not being helpful, you're just spamming people with tons of unrelated bugs. Before reporting a security issue, make sure the issue actually exists. Also, filing a security issue in a public bugtracker is never the right thing to do. There are easy ways to find private contact details for the maintainers of this project.
The input for that function is what GitHub's API provides, and you can't pass arbitrary HTML into GitHub comments - you can only pass a very limited subset of HTML (basically everything that gets converted from markdown, and some additional things like <summary>). You can't, for example, put a <script> tag into a comment or any other field - as that would get sanitized on GitHub's end.
This is invalid, and looking at the reporter's bug GitHub history, probably spam.
In file: helpers.py, there is a method that is vulnerable to cross-site scripting (XSS) which can compromise any cookies, session tokens and other sensitive information used with the website and browser.
The taint flows from endpoints.py file, line 187. There, variable new_comment is assigned a tainted value. This is then passed a parameter in a method call in line 190.
This tainted data flows in file helpers.py, through line 25 and eventually reaches line 36.
The tainted data needs to be sanitized before being used in sensitive contexts. The sanitization is domain specific.