The WikibaseLexeme extension introduces a datatype for forms, allowing you to state, for example, that the third word of the English phrase “every dog has its day” is derived from the form “has” of the lexeme “have”. The visual rendering of a form consists of all its representations, separated by an interface message defaulting to a slash.
Unfortunately, we don’t HTML-escape the representations.
$representationString = implode( $representationSeparator, $representations->toTextArray() ); return Html::rawElement( 'a', [ 'href' => $title->isLocal() ? $title->getLinkURL() : $title->getFullURL(), ], $representationString );
Therefore, when you link to a form which has HTML in the representation:
The fix is super trivial – use Html::element instead of Html::rawElement – but I’m not sure what the procedure is to deploy that fix without publishing in on Gerrit (which effectively makes the vulnerability public).