When $wgWellFormedXml is false (default is true), Html::expandAttributes uses a regex ($badChars) having the /u modifier to check for characters that must be quoted as part of an attribute value.
Unfortunately, PCRE 8.32 (part of PHP 5.3.24 - 5.3.27, 5.4.14 - 5.5.4), will fail to match anything (returning false) if any noncharacter is anywhere in the input. Unicode has 66 noncharacters, though MediaWiki's UtfNormal library only checks for U+FFFE and U+FFFF. (Reading the changelog, I think PCRE 8.33 might have corrected this, though I haven't tested to be sure.)
This can be used to carry out a cross-site scripting attack by injecting arbitrary code into the HTML tag; only &, ", \n, \r, and \t are escaped.
Steps to reproduce:
- Compile and install one of the listed PHP versions (or compile PHP against PCRE 8.32)
- Set $wgWellFormedXml = false; in LocalSettings.php
- Go to index.php?title=Special:BlockList&wpTarget=%EF%B7%90><script>alert(1)</script>