Most of the time we assume that writing code like:
wfMessage( 'foo' )->params( $this->getRequest()->getVal( 'bar'
) )->parse();
is totally safe. However, in a wiki with $wgRawHTML = true; this code
would be an XSS. I've looked through core, and couldn't find any
examples of using unsanitized url parameters as a message parameter in
a parsed message, however it seems to me like this sort of thing is an
accident waiting to happen.
I would like to propose that $wgRawHTML only apply to actual pages.
The <html> parser tag should not be active in wfMessage() or other
parser contexts. I don't think this would break anything, but I'd like
feedback on if anyone could think of anything this could break.
For more information see
https://phabricator.wikimedia.org/T156184 .
Please post any feedback about this idea on that bug.