Steps to reproduce:
- be on a wiki with WikibaseClient configured/enabled (including a connection to a repo)
- put HTML into MediaWiki:colon-separator
- edit a page which uses Wikibase entities (e.g. contains wikitext like {{#statements:P123|from=Q456}}, where P123 and Q456 are IDs of real, existing entities on the repo)
Outcome:
Wikibase shows the entities being used on the page below the edit form (above the template(s) used on this page); in doing this, it builds an Html::rawElement() using $context->msg( 'colon-separator' )->plain(), so the contents of the colon-separator message are not escaped. If you changed the message to <script>alert("xss")</script>: , then the alert will be shown.
Impact:
Limited, I’d say. On an individual wiki, editing that message is guarded by the interfaceadmin right, and users with that right can also edit common.js directly; in Wikibase as a whole, the message contents are guarded by the “unexpected HTML” check that all translatewiki.net exports are subject to, so it should not be possible for a TWN user to get bad HTML into this message.