Board Thread:Support Requests - Getting Technical/@comment-25295528-20161017152024/@comment-24473195-20161018224253

Saftzie wrote: Dessamator wrote: Saftzie: Oddly enough, Staff was the last one to make edits to that script (probably auto-approving those edits), and they likely missed that security hole. Worse, I just noticed that Rappy was the one who changed  to  .... Not really, Rappy's change was restoring a previous functionality that allowed XSS, http://dev.wikia.com/wiki/MediaWiki:WikiaNotification/code.js?diff=prev&oldid=37436. The person who changed it to ".text" actually made he breaking change since the script was documented as allowing anchor tags all along.

In any case, that script should be disabled until this is fixed, and should probably be reported through Special:contact/security, or maybe ask VSTF to delete (since there is no disable mechanism) the script for now.