Summary
The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to templates/repo/issue/view_content.tmpl but not to templates/repo/issue/new_form.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior.
Details
GHSA-vgjm-2cpf-4g7c was patched by adding | Sanitize (bluemonday HTML tag stripping) to milestone name rendering in view_content.tmpl. However, the same milestone dropdown exists in new_form.tmpl and was not patched.
In new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to < etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload (e.g., <img src=x onerror=alert(1)>).
Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.
PoC
poc.zip
Please extract the uploaded compressed file before proceeding
- docker compose up --build

Impact
- Stored DOM XSS: Any user with write access to a repository can create a malicious milestone. Any other user who visits the New Issue page and interacts with the milestone dropdown will have arbitrary JavaScript executed in their browser session.
- Session hijacking: The attacker can steal session cookies, perform actions as the victim, or escalate privileges.
References
Summary
The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to
templates/repo/issue/view_content.tmplbut not totemplates/repo/issue/new_form.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI'spreserveHTMLbehavior.Details
GHSA-vgjm-2cpf-4g7c was patched by adding
| Sanitize(bluemonday HTML tag stripping) to milestone name rendering inview_content.tmpl. However, the same milestone dropdown exists innew_form.tmpland was not patched.In
new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts<to<etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload (e.g.,<img src=x onerror=alert(1)>).Semantic UI 2.4.2's dropdown component has
preserveHTML: trueas the default setting. When a user selects a dropdown item, the internalset.text()method calls jQuery's.html()with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.PoC
poc.zip
Please extract the uploaded compressed file before proceeding
Impact
References