import() is a JavaScript keyword, not a global function. Its semantic inconsistency in the MW produces some unexpected problems. Hope it works as much as possible like the original.

在T409139#11338574中，@Dragoniez写道：

Why not use importScriptURI? User common.js isn't an ES module.

Perhaps we should release a shameful fix first. At least ensure it is no longer usable before this security issue becomes widely known. Since it puts many websites running MediaWiki at actual risk.

在T401099#11057173中，@SomeRandomDeveloper写道：

In T401099#11057164, @SomeRandomDeveloper wrote:

Note that this issue appears to have been publicly disclosed in the code of the extension mentioned in the task description: https://github.com/moegirlwiki/mediawiki-extension-MoeImgTag/commit/daec7111d39feb8befa3b7b155fef269e47c011b

@dragon-fish please remove this commit or any comments explaining the issue from the repository

FYI
@AmeroHan (one of our volunteers) provided a standard definition of the characters allowed in XML attribute names:
https://www.w3.org/TR/xml/#NT-Name
https://www.w3.org/TR/xml11/#NT-Name

In T401099#11057173, @SomeRandomDeveloper wrote:

In T401099#11057164, @SomeRandomDeveloper wrote:

Note that this issue appears to have been publicly disclosed in the code of the extension mentioned in the task description: https://github.com/moegirlwiki/mediawiki-extension-MoeImgTag/commit/daec7111d39feb8befa3b7b155fef269e47c011b

@dragon-fish please remove this commit or any comments explaining the issue from the repository

The unit test does not cover the following cases:

Not enough, as far as I know, try /^data-[^:\s\/<>]*$/i

Also try this: