Last modified: 2012-10-24 11:55:23 UTC
Created attachment 9909 [details] Suggestion popup. I have an alternate account named [User:Amalthea'"<] to test escaping issues in tools. Using Monobook skin, when I type [User:Amalthea'] into the search input field, the search-as-you-type suggestion popup displays [User:Amalthea'"<]. I interpret this as my browser auto-correcting the broken entity [<] and displaying it as [<], which in turn means that the ampersand is not escaped properly when it's written into the suggestion popup. Since page names are heavily sanitized I don't see a way that this can be exploited, but it should be fixed nonetheless. Vector skin is behaving correctly.
This seems fixed now...