wfMsgExt() and wfMsgWikiHtml() use $wgOut->parse(). This is inappropriate and causes many bugs. For example, at the moment, if you try to view a wiki and your CentralAuth username is blacklisted, it will throw an exception "Empty $mTitle in OutputPage::parse" due to TitleBlacklistHooks::acceptNewUserName() calling wfMsgWikiHtml().
$wgMessageCache->transform() does this correctly. It uses a separate instance of the parser, it doesn't get titles or parser options from strange sources like $wgOut, it doesn't mind if $wgTitle is unset, and it fails gracefully if it is called re-entrantly.
I suggest MessageCache::transform() be refactored to provide a getParser() method, which should then be used by a new method "MessageCache::parse()", which should in turn be used by wfMsgWikiHtml() etc. instead of $wgOut->parse(). The guarding against re-entrant calls should be extended to cover both entry points.
Version: 1.18.x
Severity: critical