Last modified: 2012-04-12 13:54:38 UTC
bug 28235's patch is still vulnerable. http://www.mediawiki.org/w/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(1)%3E.html?
Thanks for that, another fix will be released in 1.16.4. I had Roan Kattouw help me review and test the patch this time, so hopefully we've got it nailed down.
No XSS when I click the link, so it works in 1.17-wmfwhatever. Closing fixed by Tim.