I found a string being output to the DOM without proper escaping in the DisamAssist user script (permalink) . This is almost a cross-site scripting (XSS) vulnerability, but is not exploitable due to the angle bracket characters <> not being available in the injection context.
I plan to fix this issue myself, but seeing as the script is in wide use and there are several different copies floating around on various different wikis, I am making this bug report to have a centralised place to discuss the issue. As it falls short of being an XSS issue, I am creating this as a normal task, not a security-protected task.
The issue is in lines 455-456 of the script.
ui.pageTitleLine.html( txt.pageTitleLine.replace( '$1', mw.util.getUrl( currentPageTitle, {redirect: 'no'} ) ).replace( '$2', currentPageTitle ) );
The string being added to the DOM here looks like In <a href="$1">$2</a>: (this example is from the enwiki translation strings). The URL inserted in place of $1 is escaped properly, but the currentPageTitle variable inserted in place of $2 is not escaped. If an attacker could inject syntax like e.g. <img src="x" onerror="alert('XSS')" /> then they could run arbitrary JavaScript. However, the currentPageTitle variable comes from a list of page titles retrieved from the API, and page titles cannot contain angle brackets, meaning an attacker cannot create the necessary HTML tags to exploit this weakness.
The fix here is to escape the currentPageTitle variable with mw.html.escape as follows:
ui.pageTitleLine.html( txt.pageTitleLine.replace( '$1', mw.util.getUrl( currentPageTitle, {redirect: 'no'} ) ).replace( '$2', mw.html.escape( currentPageTitle ) ) );