The Security-Team can likely help out with this. Here is our SOP which governs the current security readiness review process. Not sure exactly how this request would be prioritized, as we can only accommodate so many reviews per quarter and things going into Wikimedia production are often deemed highest priority.
Just FYI, I looked at this a little bit a long time ago. I don't think much has changed, but its possible it has, so this might be out of date, but my main take aways at the time were:
- The extension is extremely difficult to use correctly, particularly if the widgets have any parameters
- The way of specifying escaping is error prone. If you make a typo, it fails insecurely. Many users do not know what the proper escaping method is to use. Smiley is not the most well designed templating langauge in terms of security imo.
- The vast majority of people who are using it, are using it in an insecure way. A significant portion of the examples from the official website are insecure.
- T149488 has not been fixed. Its not always applicable (And technically you can make widgets that don't fall victim to it, but its difficult). Most of the time this issue can be used to get an XSS
- Having some sort of automated testing special page (e.g. stuff onclick="alert(1)" and variations into every paramter, so that users can load and easily test their widget) would probably go a long way to helping users make secure widgets.
- T109828 is considered at least semi a feature and not a bug. And well normally I scoff anytime someone uses this line, in this case, I think its actually somewhat justified to consider it a feature and not a bug. That said, this is another example of how the security implications of widgets can be really confusing and can lead to users accidentally doing things that are quite insecure without realizing it.
YMMV, but hope that helps.