If the developer setting $wgUseXssLanguage is set to true, then an “x-xss” language code becomes available and can be selected with *?uselang=x-xss* in the URL. When using this language code, all messages become “malicious”: every message is replaced by a snippet of HTML that tries to run alert(' *message-key*').

Clever feature - this will be great for testing. Thank you!

-Yaron