Last modified: 2014-02-12 23:32:52 UTC
http://www.mediawiki.org/wiki/Special:PasswordReset [POST] wpUsername=<h1 style=background:red;position:absolute;top:0;left:0;width:1000px;height:1000px></h1>
The username (in case it doesn't exist) is parsed as wikicode in the returned message, and it doesn't send disallowed tags like <script></script> as plain HTML but as text, so it doesn't seem to be something critical. I'm not sure if that's an issue with the Special:PasswordReset message or if that's something more general about how we handle parameters in interface messages. [Changed component: Wikimedia/Wikidata -> MediaWiki/General/Unknown]