Wikimedia Bugzilla is closed!

Doing a fuzz stress test of 1.7 rc, found one limited HTML attribute injection:
===========================
**#***; <pre dir=mailto:,,,,fffffff}}__TOC__||[[x|y]]&#x22;&#x0A;-------<cite>
===========================

HTML result:
===========================
<ul><li><ul><li><ol><li><ul><li><ul><li><ul><li><dl><dt> <pre
dir="mailto:,,,,fffffff}}__TOC__||[[x|y]]&quot;
</dt></dl>
</li></ul>
</li></ul>
</li></ul>
</li></ol>
</li></ul>
</li></ul>
<p>-------&lt;cite">
===========================

(i.e. the </dt>, </dl>, </li>, </ul>, </ol>, <p> tags are injected). Also
generates a Tidy error.

P.s. My gut suspicion is that we're approaching the last of the injectable stuff
using the Parser.