As @Bawolff pointed out in https://commons.wikimedia.org/w/index.php?title=Commons:Upload_help&diff=prev&oldid=140107883, the check I had for animating an element's href to a javascript url wasn't effective.
Fix it to blacklist animating attributeName='xlink:href'.
Patch:
- 1.24: (--3way)
- 1.23: (--3way)
- 1.19:
Affected Versions: incomplete fix in patch for T71008 (1.19.19, 1.22.11 and 1.23.4)
Type: xss
CVE: CVE-2015-2932