From Paser24 to security@
hi update: I can create stored xss in my talk and discussion sections including title and text with xss payload and get stored xss. let's reveal this valid report Url vuln : https://id.m.wikipedia.org/wiki/Pembicaraan_Pengguna:Longkali Payload xss : HACKED<br><br><center><font color="red">HACKED <br><br><img src=x onerror=alert(document.domain)><br><br><img src=x onerror=alert(document.domain)>
https://id.m.wikipedia.org/wiki/Pembicaraan_Pengguna:Longkali gives a lovely popup, https://id.wikipedia.org/wiki/Pembicaraan_Pengguna:Longkali doesn't
Introduced in 78f85803f64ae3ecedbecb38473ee70606fca5c9 as a fix for T67042: Mobile Table of Contents double unescapes encoded characters... Fixing another XSS :) - rEMFR78f85803f64a: Fix XSS in section handling