Bug 36938 is fixed and adds escaping of uselang for HTML.
For the JavaScript variable mw.config.get( 'wgUserLanguage' ) still a lots of characters are allowed but some are filtered:
https://www.mediawiki.org/w/index.php?uselang= >>> "en"
https://www.mediawiki.org/w/index.php?uselang=%20 >>> " "
https://www.mediawiki.org/w/index.php?uselang=%21 >>> "!"
https://www.mediawiki.org/w/index.php?uselang=%22 >>> """
https://www.mediawiki.org/w/index.php?uselang=%23 >>> "en"
https://www.mediawiki.org/w/index.php?uselang=%24 >>> "$"
https://www.mediawiki.org/w/index.php?uselang=%25 >>> "%"
https://www.mediawiki.org/w/index.php?uselang=%2525 >>> "en"
https://www.mediawiki.org/w/index.php?uselang=%26 >>> "&"
https://www.mediawiki.org/w/index.php?uselang=%26amp >>> "&"
https://www.mediawiki.org/w/index.php?uselang=%26amp; >>> "en"
https://www.mediawiki.org/w/index.php?uselang=; >>> ";"
https://www.mediawiki.org/w/index.php?uselang=: >>> "en"
https://www.mediawiki.org/w/index.php?uselang=%3d >>> "="
https://www.mediawiki.org/w/index.php?uselang== >>> "="
https://www.mediawiki.org/w/index.php?uselang=/ >>> "en"
https://www.mediawiki.org/w/index.php?uselang=" >>> """
https://www.mediawiki.org/w/index.php?uselang=' >>> "'"
Many scripts use wgUserLanguage unescaped. Examples:
https://commons.wikimedia.org/wiki/MediaWiki:Common.js
https://commons.wikimedia.org/wiki/MediaWiki:Gadget-HotCat.js
When you open the following link on dewiki with activated gadget HotCat
https://de.wikipedia.org/w/index.php?uselang=en%26curid=19891835
the page https://commons.wikimedia.org/wiki/User:Fomafix/xss.js is loaded.
Of course this is a bug in the gadget, but there are lots of gadgets which maybe contain the same error.
Expected result:
wgUserLanguage should only be set when uselang contains only necessary allowed characters.
Version: 1.19.1
Severity: normal