The page title in the URL of the history link in the PageTriage toolbar is not URL encoded or escaped, allowing possible XSS.
Steps to reproduce:
# Create a page with the title: "onmouseover="alert(0);""
# With an account that can patrol pages, visit the page and open the info tab
# Hover over the "show full history" link