Board Thread:Support Requests - Getting Technical/@comment-25295528-20161017152024/@comment-1757994-20161018213103

Dessamator wrote: Saftzie: Oddly enough, Staff was the last one to make edits to that script (probably auto-approving those edits), and they likely missed that security hole. Yeah, but it's in production now.

One way both to escape the text supplied and to provide a way to reference another, non-JavaScript page would be to pass  through the parser. MediaWiki would escape the things that need to be escaped. Links like  would have to be rewritten as. References to templates would be as easy as setting  to.

In the meantime, that's not the way it's implemented, so making it parse wikitext would be a breaking change.