Steps to reproduce
- Put the following wiki text into a wiki page:
<div id="pt-logout">[https://www.example.com/ click]</div>
- Log in the wiki.
- Load the page with the rendered wiki text.
- Click on the logout button.
-> The user get logged out.
-> The browser redirects to https://www.example.com/
It should not possible to change the target of an interface button by user content.
https://gerrit.wikimedia.org/r/536725 (rMWd4a552e65bdf) by @Krinkle mitigates this issue.
The button in the user content still logs out. Mitigation for this is to add data-mw="interface" as HTML attribute to the logout button and add [data-mw="interface"] to the jQuery selector for selecting the button.