As part of T280766, a few patches were pushed to replace outdated CSS styling. Some of these also replaced calls to OutputPage::wrapWikiMsg with code like
$out->addHTML( Html::errorBox( $out->msg( 'deletedwhileediting' )->plain(), '', 'mw-deleted-while-editing' ) );
which is understandable, since the docblock of wrapWikiMsg says:
* $wgOut->wrapWikiMsg( "<div class='errorbox'>\n$1\n</div>", 'some-error' ); * * Is equivalent to: * * $wgOut->addWikiTextAsInterface( "<div class='errorbox'>\n" * . wfMessage( 'some-error' )->plain() . "\n</div>" );
but this is not correct. wrapWikiMsg is actually escaping its content, probably by running it through the parser (haven't checked deeply). I spotted this in r682960 for AbuseFilter, but similar code was also introduced in r682915 for MW core.
I believe that escaping should be fixed immediately, and equally important is to update the documentation of wrapWikiMsg, which is basically asking for this mistake to happen again in the future.
(FTR, this wasn't spotted by taint-check because version 3.2.1 of the plugin still can't fully understand that the HTML parameter is passed through by successBox. r681443 is a change that I'm hoping to complete in a few days that would flag this code)