When `$wgArticlePath` is set to `'$1'`, it's trivially possible to execute XSS attacks:
Note that `$wgArticlePath = '$1'` is a pretty broken configuration setting and unlikely to result in a fully functional wiki, but people desperately grappling with short URLs might end up setting that. On master, it seems to cause infinite redirect loops (probably due to 155d555b83eca6403e07d2094b074a8ed2f301ae?), but I was able to view pages with that setting on MediaWiki 1.25.
It seems that T48998 is an old bug pointing out that some `$wgArticlePath`s just shouldn't be allowed (with a patch).