As I was reviewing existing code in a different context, I realized that we don't escape the uses of mw.msg in watchlistUtils.makeUserLinks, which returns raw html. This can create an XSS if the messages rev-deleted-user or ntimes are manipulated to try and include scripts.
The solution is to add mw.html.escape() calls or use mw.Message.escaped()
Given that this hasn't (as far as I can tell) been noticed anywhere, and there will be a bunch of unrelated changes to the relevant file that may cause merge conflicts if the fix is deployed as a normal security patch, would it be okay to send this publicly on gerrit? Commit message would be along the lines of "Clean up watchlistUtils.makeUserLinks" and I would replace the mw.msg() shortcut with creation of mw.Message objects and calling .escaped().
You can confirm by setting the message rev-deleted-user to (username removed)</span><script>alert('error')</script><span>