When the edit
https://pt.wikipedia.org/w/index.php?diff=45776266
appeared for review at
https://labels.wmflabs.org/ui/ptwiki/
the diff displayed a paragraph like this:
O 13 voltouO 13 voltou, ''[http://espn.uol.com.br/noticia/585508_apos-cuidar-da-saude-do-pai-filho-de-zagallo-retorna-para-virar-tecnico-o-13-voltou]'', ESPN, 17 de março de 2016
However, as you can see at
https://pt.wikipedia.org/w/index.php?title=Paulo_Zagallo&action=edit&oldid=45776266
the actual wikitext for this paragraph is
O 13 voltou<ref>O 13 voltou, ''[http://espn.uol.com.br/noticia/585508_apos-cuidar-da-saude-do-pai-filho-de-zagallo-retorna-para-virar-tecnico-o-13-voltou]'', ESPN, 17 de março de 2016</ref>
I believe it should keep the <ref> tag, but it seems to be parsing it as HTML, which results in it not being visible in the Browser (but it is present in the source HTML, when I inspect it).
This seems to be a source for XSS, since if the page was created with the content
<script>alert('test');</script>
(or some malicious script), the JavaScript code would likely be executed (if not, feel free to remove the security tags from this report).