I've noticed a concerning behavior in my MediaWiki installation's API endpoint (api.php) where it seems to be executing JavaScript code passed as URL parameters directly.
For instance, when I make a request like this: http://wiki.loc/api.php?action=help&modules=alert(document.cookie) Instead of treating the JavaScript code (alert(document.cookie)) as plain text, it seems to execute it, triggering an alert with the user's cookie data.
This behavior raises significant security concerns as it opens the door to potential Cross-Site Scripting (XSS) attacks.
I've reviewed the request handling code in api.php, but I couldn't find any immediate solution to prevent this behavior.
Could someone please provide insights into why MediaWiki might be executing JavaScript from URL parameters and how to mitigate this security risk effectively?
Thank you for your assistance.