URL parameters like https://magnustools.toolforge.org/randomarticle.php?lang=%27%3C/input%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E can be used to execute arbitrary JS.
Since I had not received an email response for T305764 either, I am reporting this to Phabricator as well.