When `$wgArticlePath` is set to `'$1'`, it's trivially possible to execute XSS attacks:
* Create a page named `javascript:alert('XSS!')`
* Add a wikilink to that page on another one: `[[javascript:alert('XSS!')]]`
Since $wgArticlePath is not absolute, this will generate `<a href="javascript:alert('XSS!')" ...>`.
Note that `$wgArticlePath = '$1'` is a pretty broken configuration setting and unlikely to result in a fully functional wiki, but people desperately grappling with short URLs might end up setting that. On master, it seems to cause infinite redirect loops (probably due to 155d555b83eca6403e07d2094b074a8ed2f301ae?), but I was able to view pages with that setting on MediaWiki 1.25.
It seems that T48998 is an old bug pointing out that some `$wgArticlePath`s just shouldn't be allowed (with a patch).