The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html https://phabricator.wikimedia.org/T119158 https://github.com/wikimedia/mediawiki/commit/f21f3942eb10d7e688eb25261ac3a9478268cbd3