Follow up to T222261#5606910, there is an XSS on Special:UserRights and anywhere that an UserGroupMembership is passed into UserGroupMembership::getLink().
The problem happens when a user's groups are loaded, and one of them has an expiration.
- Change the group-membership-link-with-expiry message in your language to include an XSS like <script>alert('hello!');</script>
- Go to Special:UserRights and load a user, change the user to have a right with an expiration (if they don't already).