The fix for fullwidth characters (https://gerrit.wikimedia.org/r/#/c/95557/, bug 55332) broke the CSS sanitizer, it now is possible to embed escape sequences into your CSS code and thus evade the blacklists for url() etc.
Example:
<p style="font-size: 100px; background-image: ur\l(https://www.google.com/images/srpr/logo6w.png)">A</p>
This currently loads the image from Google server and of course could be modified to allow XSS attacks via expression in old IEs.
Note the Fullwidth Reverse Solidus which is replaced with a normal Reverse Solidus *after* escape sequences are replaced with the actual character.
Version: unspecified
Severity: normal