==== Steps to reproduce
# On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar)
# Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback and add `<script>alert('XSS');</script>` somewhere to the message
# Login with an account that's on the [mentors list](https://test.wikipedia.org/w/index.php?title=Wikipedia:Requests/Help_desk/Mentors).
# Go to Special:MentorDashboard
# Alert gets displayed
==== Fix
MenteeOverview::getBody() should not use `Html::rawElement`, or should use `->escaped()` for the message.
==== Notes
This feature is not served outside of testwiki, but since it allows unauthorized users to run arbitrary JS on a production wikis, this should go through the normal security patch procedure.