The mobile-html api endpoint does not properly escape the id attribute of heading when used on zh language projects (zh uses a different code path than other languages)
As an example, see look at the id attribute on the <h2> on https://zh.wikipedia.org/api/rest_v1/page/mobile-html/User:Bawolff%2Fsandbox [I made this look non-suspicious since its public].
PoC code
=="onmouseover="alert(document.domain)==
Issue is createHeadingHTML (in mobileapps/lib/mobile/MobileViewHTML.js) has code like:
return `<h${level} id="${section.anchor}">${section.line}</h${level}>`;
where section.anchor is defined as sectionObj.anchor = node.getAttribute('id'); which is unescaped. Parts of the rest of the section handling code also look suspicious, especially the function appendSectionText and how it mixes HTML and textnodes.