As far as I can tell, **there is no XSS vulnerability here**, but I’m filing this as a security task initially so we can make sure it’s fine, and maybe open it up later.
Wikibase’s `TemplateFactory::render()` must be called with safe / HTML-escaped parameters, but `FederatedPropertiesError` directly passes a label into it:
```lang=php
if ( $hasLabel ) {
$labelText = $entity->getLabels()->getByLanguage( $languageCode )->getText();
}
$idInParenthesesHtml = htmlspecialchars( wfMessage( 'parentheses', [ $entityId ] )->parse() );
$html = $templateFactory->render( 'wikibase-title',
!$hasLabel ? 'wb-empty' : '',
!$hasLabel ? wfMessage( 'wikibase-label-empty' )->parse() : $labelText,
$idInParenthesesHtml
);
parent::__construct( new RawMessage( $html ), $errorBody, [] ); // parent = ErrorPageError
```
If the entity being shown has HTML in its label (an example on Wikidata would be the infamous [<script>alert("!Mediengruppe Bitnik");</script>](https://www.wikidata.org/wiki/Q43981055)), then //some// of that HTML will be shown on the error page. Specifically, an item with the label
```lang=html
<b style="color: purple; background: url(https://lucaswerkmeister.de/);"><script>alert('xss')</script><b>
```
will look like:
{F37105011}
where the heading’s outer HTML is:
```lang=html
<h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="wikibase-title ">
<span class="wikibase-title-label"><b style="/* insecure input */"><script>alert('xss')</script><b></b></b></span><b style="/* insecure input */"><b>
<span class="wikibase-title-id">(Q8)</span>
</b></b></span></h1>
```
Notice that the `<script>` was escaped, and the `style=` was replaced with the harmless `/* insecure input */`. Apparently, this happens when `OutputPage::setPageTitle()` uses `Sanitizer::removeSomeTags()` for the page title. (The HTML `<title>` further gets `Sanitizer::stripAllTags()` treatment.)
Still, the fact that you can inject some HTML markup is undesirable, and should be fixed.