The Cosmos skin calls Html::rawElement() many times, and also calls wfMessage(). However, some wfMessage calls are not properly escaped, so this allows XSS injection. There are many cases of this happening, and all of these need to be properly audited...
In CosmosSocialProfile::getUserGroups() ( Lines 44 and Line 58, https://github.com/wikimedia/mediawiki-skins-Cosmos/blob/master/includes/CosmosSocialProfile.php#L44-L58 ):
$usertags = Html::rawElement( 'span', [ 'class' => 'tag tag-blocked' ], wfMessage( 'cosmos-user-blocked' ) ); $usertags .= Html::rawElement( 'span', [ 'class' => 'tag tag-' . Sanitizer::escapeClass( $value ) ], ucfirst( wfMessage( 'group-' . $value . '-member' ) ) );
There are many i18n message calls calls in CosmosTemplate, but most of them are either passed through Sanitizer::escapeIdForAttribute() or use the text as the output mode (->text()). These seem to be the only two cases of security issues.
Codesearch query: https://codesearch.wmcloud.org/skins/?q=(wfMessage%7C%5C%24this-%3EgetMsg)&i=nope&files=&repos=Skin:Cosmos