The "copy as wikitext" functionality that was added in T251361 relies on VisualEditor to convert the HTML from the client's browser into Wikitext for use on other wikis. This is problematic for two reasons:
- This mechanism trusts that the client's HTML is correct and is not malicious or contains sensitive information. For instance, if the user has a browser plugin that modifies the HTML for that user (and perhaps includes sensitive information) that information will be converted into Wikitext and the user may share it unknowingly.
- Likewise, trusting the HTML from the client means we are trusting that it is in a state that is expected. The code sanitizes the input on the client, but does not account for unknown gadgets, user scripts, or browser plugins that may modify the HTML input. This could result in bugs that are difficult to reproduce and may not even appear for that user (i.e. they may only appear for other users who see the wikitext later).
Normally in this instance it might be acceptable to trust the client, but since the output is deterministic (i.e. two users should be able to copy the same investigation and get the same wikitext) and intended to be shared it seems somewhat risky. In the case of VisualEditor, trusting the client's input is part of the intention of it's use and is being used for content the client themselves generated (not deterministic).
Alternatively, we could generate the Wikitext manually (on the server, or with the data from the client), but since Parsoid is available, it seems like the more sensible option to use it.