Steps to reproduce:
0. Make sure you have a wiki with upload and thumbnailing of paged media enabled (see [[mw:Extension:PdfHandler]] if you don't), and a multipaged file (I will call this File:Carroll.pdf in the following).
- Create File:Carroll.pdf/x with the content
<table class="multipageimage"><tr>
<img src="http://this.is.invalid/a.png" onerror="alert('XSS')">
</tr></table>
- Edit File:Carroll.pdf to have the following content as description
<div class="multipageimagenavbox">[{{fullurl:File:Carroll.pdf/x|action=raw}} Click me!]</div>
and save it (you can't reproduce this in preview).
- Click on the link.
Expected result: Nothing evil happens.
Actual result: A message box pops up, showing "XSS".
The problem is in resources/src/mediawiki.page/mediawiki.page.image.pagination.js, it trusts any link inside an element with class multipageimagenavbox. The function ajaxifyPageNavigation() will call loadPage with the URL of such an link once you click it, and the loadPage function will load that content and interpret it as HTML. (You can't embed <script> tags, as some jQuery magic will remove them, but this isn't necessary as shown in my example.)
Possible solution:
Add a class multipageimagenavboxlink to the <a> tags that should trigger the AJAX navigation, and use $( 'a.multipageimagenavboxlink' ).one( ... ); instead. As there is no way to add links with arbitrary classes in wikitext, such a link can be trusted to be provided by MediaWiki itself.
Version: 1.24rc
Severity: normal