Thread:Andrewds1021/@comment-45117243-20201111034700/@comment-9605025-20201127165304

Oh man. That is huge! Do you think you could respond to my test thread with the script tag as well as the thread here with the br tag? I noticed that the br tag from the thread here seems to be properly inserted now and I want to know if that is because it is now an additional notification or because they fixed it. Also, I only tested the test threads with @mentions and, if the br tag is still problematic would like to see if perhaps the issue is also specific to certain notification types or tags; though I doubt it. - Edit:

It seems that templates are substituted but further wikitext parsing is not performed. - Edit:

I just checked with message wall threads. The same type of HTML injection occurs there as well! - Edit:

Okay. After more extensive testing. Here is what I have. There appears to be no issues with Special:SocialActivity (although this doesn't shows Discussions). All text is properly escaped. The issues are with Special:UserProfileActivity as follows. Discussions misses HTML injection via thread title and does some wikitext parsing as well. Message walls misses HTML injection both via title and reply text; I didn't check wikitext. The same is true of comments except comments don't have a title.