Entering "/><img src="x"onerror="alert('XSS')"/> into the "Categories" (and various other) field at https://petscan.wmflabs.org/ results in the code being executed. This can further be propagated by hiding it behind a PSID such as this: https://petscan.wmflabs.org/?psid=21847456. Interestingly, all instances of "<script" appear to be replaced, but that is not enough to prevent the vulnerability.
I had emailed Magnus about this back in January, with no response and nothing being fixed, so I have been told to report to Phabricator.