If a template description (or other InterfaceText field) contains disallowed HTML it is not stripped nor escaped, e.g.
<templatedata> { "description": "<script>alert('test');</script>", "params": {} } </templatedata>
The API returns this as:
"pages": { "935": { "title": "Template:Test", "description": { "en": "<script>alert('test');</script>" }, "params": {}, "format": null, "paramOrder": [], "sets": [], "maps": {} } },
Which of course clients should not use as-is, and should always treat as plain text, but they mightn't know that. The value is of type InterfaceText (free-form string, no wikitext).
Is it worth sanitizing these outputs?