If $wgContentHandlerUseDB is enabled, it's possible for a user to change the content model of a page in another user's userspace to CSS or JS. There are two problems with this: One is that a user could be a nuisance by mass-changing the pages, since once they're changed like that, only the userspace's owner or an admin can fix them. Another is that if a user accidentally sets their common.js to wikitext, a malicious user could add bad code to it and change its content model back to JS, so it would get executed. To fix this, when checking if a page is a protected user settings page, we need to check both the old and the new content model, rather than just the old one as we do now.
Version: unspecified
Severity: blocker
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=73490
https://bugzilla.wikimedia.org/show_bug.cgi?id=71163