Steps to reproduce
- On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar)
- Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback and add <script>alert('XSS');</script> somewhere to the message
- Login with an account that's on the mentors list.
- Go to Special:MentorDashboard
- Alert gets displayed
The same also applies for growthexperiments-mentor-dashboard-mentee-overview-intro and growthexperiments-mentor-dashboard-resources-intro messages.
Fix
MenteeOverview::getBody() should not use Html::rawElement, or should use ->escaped() for the message. Similar fix should be applied for other messages mentioned above.
Notes
This feature is not served outside of testwiki, but since it allows unauthorized users to run arbitrary JS on a production wikis, this should go through the normal security patch procedure.