On Special:Contributions, the NS filter uses unescaped messages as keys in the 'option' key for an HTMLForm specifier (source):
$fields['nsFilters'] = [ // ... 'options' => [ $this->msg( 'invert' )->text() => 'nsInvert', $this->msg( 'namespace_association' )->text() => 'associated', ],
This is vulnerable to a mild XSS in case one of those messages is changed to include raw HTML.
The issue was spotted by taint-check.