When $wgArticlePath is set to '$1', it's trivially possible to execute XSS attacks:
Note that $wgArticlePath = '$1' is a pretty broken configuration setting and unlikely to result in a fully functional wiki, but people desperately grappling with short URLs might end up setting that. On master, it seems to cause infinite redirect loops (probably due to 155d555b83eca6403e07d2094b074a8ed2f301ae?), but I was able to view pages with that setting on MediaWiki 1.25.
It seems that T48998 is an old bug pointing out that some $wgArticlePaths just shouldn't be allowed (with a patch).
- 1.23 - included in
- 1.24 - included in
- 1.25 - included in
- 1.26/master - https://gerrit.wikimedia.org/r/135196 + https://gerrit.wikimedia.org/r/252582