Steps to reproduce:
*Add <span class="PopUpMediaTransform" data-videopayload="<script>alert(1)</script>">[[foo]]</span> to a page
*Hit save
*Click on link
(Important note, only present on page save, it appears there is a bug in how TimedMediaHandler loads javascript on page preview).
The vulnrability is in TimedMediaHandler/resources/mw.PopUpThumbVideo.js:
Specificly the line:
var $videoContainer = $( unescape( $(this).parent().attr('data-videopayload') ) );
and later line
mw.addDialog({
...
'title' : $videoContainer.find('video,audio').attr('data-mwtitle'), 'content' : $videoContainer,
Suggested solution - Easy workaround for right now would be setting $wgMinimumVideoPlayerSize to 0 and stop TimedMediaHandler/resources/mw.PopUpThumbVideo.js from being served.
Longer term, I guess would be to rewrite how PopUpThumbVideo, so it is given the information not as a string of html, but as data it can turn into html safely. Alternatively, maybe instead of putting the html as a string, display:none ing the html, and then retrieving it for the pop up.
Discovered well investigating bug 56538. That bug has the obvious issue of unescaping something with the non-unicode aware unescape function when the input isn't even url escaped in the first place, but I haven't mentioned on bug since that quite obviously leads to discovering this.
Version: unspecified
Severity: normal