Steps to reproduce:
- Go to
- Hover over the first link.
-> A popup will be shown with your cookie.
The problem is in function formatHTML from ApiFormatBase.php:
The raw output contains
api.php?http://onmouseover=alert(document.cookie)//
In a first pass this is transformed into a link to api.php, i.e. into
<a href="api.php?http://onmouseover=alert(document.cookie)//">...</a>
In a second step the string starting with http:// are recognized as URLs and transformed into a link, too. But as it is inside an attribute this breaks the HTML structure:
<a href="api.php?<a href="http://onmouseover=alert(document.cookie)//">...</a>">...</a>
This is invalid HTML, but according to HTML5 the first a-tag gets an onmouseover-attribute with the value 'alert(document.cookie)//"'.
Version: unspecified
Severity: normal
URL: https://en.wikipedia.org/w/api.php?action=parse&text=api.php?http://onmouseover=alert%28document.cookie%29//&title=Foo&prop=wikitext&format=jsonfm