The manner (and stage of execution) in which LanguageConverter's parsing has been implemented leads to XSS vulnerabilities. Extensions that run prior to LanguageConverter may allow for insertion of partial markup, which is then completed with LanguageConverter content replacement.
These problems may be remediated in two ways:
- Modify the stage at which LanguageConverter runs, such that it happens prior to content escaping; and
- Improve LanguageConverter's HTML tag parsing so that tag detection does not end early [implemented in LanguageConverter->autoConvert()].
The following bugs are related to this issue and give additional background:
- T97157
- T73394