Last modified: 2009-07-13 20:50:00 UTC
Specifically, in the div#mw-ipb-conveniencelinks the name of the contributions link is not escaped. SpecialBlockip.php, function getContribsLink See also related Bug 19517.
please don't report critical security issues in the public bug tracker; the email address security [at] wikimedia.org exists for that purpose.
fixed in r53159.
Alright, next time, but this is nowhere near critical. User names are pretty heavily restricted anyways, and to the best of my knowledge, the only possible exploit of this one would be to provoke display inconsistencies, since browsers display a "<" as a "<". You can't have plain angle brackets in your user name.
User names are restricted, this is correct, but the link to Special:Contribution doesnt check for that, so you could link to Special:Block?ip=<script>...</script> (or anything else) and it was passed raw to the user.
Yowsa, ok, I just didn't realize the severity then, I didn't look into it that deeply.