Not OP, but according to the article some of the html payload originates from a 3rd party, - not a huge risk unless stackoverlow is compromised. Also the post is misleading, they are not using an XSS attack to notify the update, they are utilizing a possible XSS vulnerability in their code that dangerously injects html from a server payload, but there may or may not have been any real attack vectors. Dangerously doing something doesn’t always mean the code is vulnerable. They did not intend this html payload to contain scripts, but they had no other way to inject a new script to the page, so they used XSS techniques to do it.