MediaWiki is vulnerable to cross-site scripting. The non-jqueryMsg version of mw.message().parse() doesn’t escape HTML.
lists.fedoraproject.org/archives/list/[email protected]/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
lists.wikimedia.org/pipermail/mediawiki-announce
lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html
security-tracker.debian.org/tracker/CVE-2020-25828