I was asked on my talk page to report the bug here, sorry if this is the wrong place:
I work with Miraheze, a free and nonprofit wiki farm. I was recently asked to do a security evaluation of the extension Extension:MsCalendar.
After doing a readthrough of the code, I noticed that the JS wasn't escaping event text here:
As a result, one can simply create an event named '<script>alert("hello world")</script>' and have a persistent cross-site scripting attack. This could lead to leaking of private data, and potential hijacking of the mediawiki account.
However, this extension uses Calendario 1.0.0. Upstream doesn't appear to have this issue at first glance; it's at version 3.2.0. Perhaps if you upgrade the library, you can avoid this issue.
The extension otherwise looks secure to me.