Steps to reproduce
- On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar)
- Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline and add <script>alert('XSS');</script> somewhere to the message
- Login with an account that's on the mentors list.
- Go to Special:MentorDashboard
- Alert gets displayed
The same applies for a bunch of other messages:
- growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline
- growthexperiments-mentor-dashboard-mentee-overview-info-text
- growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline
- growthexperiments-mentor-dashboard-mentee-overview-active-ago
Notes
Pattern: Usage of $('<el>').append(<unescaped string>)
Solution: Use jQuery's .text() to trigger escaping on jQuery's end, or use mw.message(...).escaped() or mw.message(...).parse() instead to trigger escaping on MW's end.