After T229541 was reported and resolved, I checked MobileFrontend for more instances of Sanitizer::stripAllTags() and found another one in includes/specials/SpecialMobileWatchlist.php and confirmed it also renders an XSS.
Steps to reproduce:
- Create a test page or edit any wiki page
- Enter some JavaScript within the edit summary field, e.g. <script>alert('xss')</script>
- Add this page to your watchlist
- Visit the mobile version of your watchlist feed, e.g. https://en.m.wikipedia.org/w/index.php?title=Special:Watchlist&watchlistview=feed&filter=all
n.b. there are a few more calls to Sanitizer::stripAllTags within other extensions and it's probably worth auditing these. I think we're also hoping to catch more issues like this by setting Sanitizer::stripAllTags' @return-taint to tainted for phan-taint-check.