I noticed that certain HTML is unsanitised by the Awesome Autocomplete for GitHub extension, leading to a case of XSS on the GitHub website.
I have tested the following Proof of Concept demonstrations with the following conditions:
Please follow the below steps to demonstrate the presence of an unsanitised HTML issue.
'"><img src=x onerror=on GitHub.com
<img>element and requests to "x" on GitHub.com
The following images demonstrate that a broken
<img> element was created in the context of GitHub.com by the Algolia extension:
Please follow the below steps to demonstrate the presence of a full XSS issue.
document.domain rather than "1337").
Please let me know if you require any additional information regarding these vulnerabilities.