On ChangesList special pages like Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped.
Steps to reproduce:
- Edit one of the rcfilters-filter-*-label messages (e.g. edit MediaWiki:Rcfilters-filter-humans-label) and add a simple XSS string like <img src=x onerror=alert(document.domain)>
- Visit Special:RecentChanges and see the JavaScript executed (depending on which label you chose in step 1, you may need to select that filter in the interface or URL param first)
This happens because the label is being added by JS using append in this case, when the message itself is unescaped plain text. This appears to have been the case since https://phabricator.wikimedia.org/rMWd0339e8741fb0a8361aed563b92f3fd36fdb3f7b where the label was previously always wrapped in mw.html.escape but afterwards was output raw if there isn't a wrapping label message.
It's relatively low risk given it's admin-only, but filing as a private issue similar to T256171, T255918, and T278014.