We received a e-mail form a client stating he found a content-spoofing vulnerability. Specific; text injection. 

Example URL: https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20too%20many%20requests%20Login%20from%20attacker.com

Obviously, load.php is normally used to load mediawiki’s frontend modules; but whenever a package/module can’t be found - it will show a message, containing the searched module. I don’t think this is needed necessarily; if this is has been added to help developers, the solution might be to just load a message into wfDebugLog() instead showing the user the package name. 

Is this something worth creating a MR or PR for? I’m willing to fix it. 

Thanks in advance,

Youri