Board Thread:Support Requests - Getting Technical/@comment-25295528-20161017152024/@comment-957747-20161019002049

Dessamator wrote: Not really, Rappy's change was restoring a previous functionality that allowed XSS, http://dev.wikia.com/wiki/MediaWiki:WikiaNotification/code.js?diff=prev&oldid=37436. The person who changed it to ".text" actually made he breaking change since the script was documented as allowing anchor tags all along.

In any case, that script should be disabled until this is fixed, and should probably be reported through Special:contact/security, or maybe ask VSTF to delete (since there is no disable mechanism) the script for now.

The former code was allowed in-as-such as the message itself would have to be reviewed for security purposes regardless.