The wfMangleFlashPolicy() function in OutputHandler.php corrupts API output containing "<cross-domain-policy>" by replacing the string with "<NOT-cross-domain-policy>".
https://www.mediawiki.org/w/api.php?action=query&format=json&titles=%3Ccross-domain-policy%3E
https://en.wikipedia.org/w/index.php?title=User:PleaseStand/Sandbox&diff=540155307&oldid=540154194
In 2007, wfMangleFlashPolicy() was added in r19996. About a year later, Adobe addressed the vulnerability in Flash Player, and six years have since passed.
According to Adobe's website, by default Flash Player 10 only allows crossdomain.xml at the root ("master-only" meta-policy). So it may be possible simply to remove the check, which already fails to work on many PHP configurations (e.g. output_buffering = 4096 from the sample php.ini files). There is also an "X-Permitted-Cross-Domain-Policies" header that can be sent.
https://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.edu.html
Alternatively, ApiFormatJson could be changed to hex-escape < and > (by removing the FormatJson::XMLMETA_OK flag), though that would do nothing to fix the other (deprecated?) non-XML output formats (e.g. PHP), action=raw, and so on.
Version: 1.24rc
Severity: normal
URL: https://www.mediawiki.org/w/api.php?action=query&format=json&titles=%3Ccross-domain-policy%3E