Prerequisites: social tools setup (MW 1.34 with SocialProfile, and for this particular bug, also need PictureGame, PollNY, QuizGame and RandomGameUnit)
- Create a game (for example, a picture game via Special:PictureGameHome; but the bug also happens with PollNY polls and QuizGame quizzes since RandomGameUnit fails to properly escape titles/options for all three types of games)
- Have its title contain something like <script>alert('XSS')</script>
- Save the game to ensure that it's created (obviously!)
- When using RandomGameUnit, whether directly via adding the parser tag to a wiki page or as a more "fixed" part of the UI (e.g. in the Nimbus skin), note how the malicious code gets executed despite that it damn well shouldn't
This is somewhat of a continuation of the fixes done in fde2cd7a5e9b675e6c78003f47e21bd8634271f9 for PictureGame's own creation/editing form.