When a [[File:]] tag to an non-existent image is rendered, the comment is written into the dom without html escaping.
Reported by Writ Keeper:
Hi all,
I'm not sure if this is the right place to report this, but I figured
better safe than sorry. I marked a page for deletion today, called '
Atelje "Meander" ', that had an embedded Youtube video in it (not
through File Upload or Commons), and I didn't think that this was
supposed to be possible. It did this by putting an iframe tag in the
argument to a nonexistent file (File:Nikola Novaković na kontrabasu
Miše Blama), so that it read [[File:Nikola Novaković na kontrabasu
Miše Blama|<iframe src=(url) ...</iframe>]]. The page has been
deleted, but I reproduced the behavior (using an <img> tag instead of
an iframe) on my test account's sandbox, located here:
http://en.wikipedia.org/wiki/User:WK-test/sandbox .
Thanks,
Writ Keeper
Version: 1.19.1
Severity: major