Last modified: 2009-04-28 01:12:06 UTC
The $1 and $2 parameters of MediaWiki:Antispoof-name-conflict currently are not escaped, so they cannot be used in links (e.g., '<a href="$1">foo</a>') without creating an XSS hole (it is possible to create a username that can exploit this hole). This was previously being done on enwiki but I have removed the links for now. Either escaped versions of these parameters need to be provided, or this message needs to be changed to use wiki markup.
Actually, I see that the code has changed since I last updated my local copy. The relevant messages are antispoof-conflict-top and antispoof-conflict-item.
Fixed in r49990. Only escaped the invalid username since the spoof matches should already be normalized (since they're existing users).