Found well testing a new solution to T119158. The regex in LanguageConverter::autoConvert(), which matches parts of the HTML document not to convert, can hit pcre.backtrack_limit on some input (default in php is 100,000 but it is configurable). The regex fails to match anything after the point it hits the backtrack limit, so language conversion substitutions are done on the entire document, instead of just the part that it is supposed to be done.
To exploit: Create a rule followed by slightly more than pcre.backtrack_limit characters (without any newlines). After that, the substitution rule will be applied everywhere, including within tags.
E.g. Create a page with the following form:
-{H|big=>sr-el:script}- foo <X repeated at least 100000 times> <big>alert(1)</big>
And then view it in the sr-el variant
(For testing, its easier if you set pcre.backtrack_limit to a smaller number than default)