Not a big deal, but several of the wikieditor-toolbar- (E.g. wikieditor-toolbar-group-format, wikieditor-toolbar-help-heading-description, etc) group of messages are used as raw html. Since this is unnecessary, it would be nice if we could change this to not treat the messages as raw html.
Steps to reproduce:
- Open index.php?title=MediaWiki:Wikieditor-toolbar-help-heading-description&action=edit with an user which has the rights to edit this system message.
- Insert <i onmouseover="alert('JS injection')">Description</i>.
- Maybe clear any caches (Shift+Ctrl+R).
- Hover over the Description in the Help menu.
Note that this is likely partially intentional. The dialog config specifically uses the key: "htmlMsg" for these descriptions. That means that likely in some conditions it is expected to actually be HTML. Now getting rid of those expectations might be possible, but I suspect some of it is a bit complicated.
Finding the actual messages (see i18n/en.json) that have this problem should be the first step:
I think that none of the -description ones, actually require HTML (though there are ones with html entities in it that need to be re-encoded/rewritten).
The true purpose is probably the -result messages, which seem to give language specific preview renderings of wikicode syntax. These will need to be separated in the wikieditor logic and be handled separately from the -description and -syntax message. In theory you could replace them with HTML templates and then make those translatable. a bit more work than most cases of these raw html issues.