I've just swatted a change to production and merged a patch into the
current master of TextExtracts which updates the extension to strip any
script tags and input tags that may result from parser output.
The problem is theoretical and I'm not aware of any existing vectors for
attack but I recommend anyone using the TextExtracts extension in
production either update to the current master or update
$wgExtractsRemoveClasses global config to include script and input tags.
The issue is tracked in
https://phabricator.wikimedia.org/T107206 (currently
hidden but I've requested it be made public)