Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code.
This vulnerability was fixed in version 1.2 of octocat.js
Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk.
To render the file correctly, see documentation at readme.md
If you have any questions or comments about this advisory: