## XSS Flaw Found in GitHub Status API Integration: Unescaped Data Rendered via innerHTML
A cross-site scripting vulnerability has been identified in code that consumes the GitHub Status API, with incident data being interpolated directly into `innerHTML` template literals without HTML entity encoding. The flaw affects two separate rendering paths in `src/js/main.js`, creating a potential injection vector if the GitHub Status API returns malicious content.

The first vulnerable code path appears around line 505 in the active incident list rendering, where `incident.name`, `timestamp`, and `statusText` fields are inserted into DOM elements without sanitization. The second affected section spans lines 568–589 in the incident history timeline cards, where `incident.name`, `severityIcon`, and affected service tags derived from `component.name` are similarly rendered without encoding. A `truncate()` function is applied to some fields, but it performs string truncation only—not HTML sanitization—leaving the content vulnerable to injection.

Security researchers note that because the data originates from an external API controlled by GitHub, the practical exploitability depends on whether that API could be manipulated or if its responses could be intercepted. The vulnerability illustrates a common pitfall in client-side applications that trust third-party status endpoints: API response fields are developer-controlled only insofar as the API itself is trusted. Applications rendering external data in HTML contexts should apply consistent output encoding regardless of the source, even when that source is assumed to be reliable. The affected codebase is advised to implement HTML entity encoding on all user-facing interpolations from the GitHub Status API.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: xss, github-status-api, innerhtml, security-vulnerability, client-side
- **Credibility**: unverified
- **Published**: 2026-04-26 22:54:06
- **ID**: 77246
- **URL**: https://whisperx.ai/en/intel/77246