Last modified: 2014-09-28 14:04:43 UTC
See https://test.wikidata.org/w/index.php?title=Q142&action=history Not XSS: only ampersands are affected.
Including: (1) <h1> title, (2) <title> title, (3) edit summary.
Non-executable HTML tags are also affected in (1) and (2) above, see: https://test.wikidata.org/w/index.php?title=Q143&action=history -- Thanks to the standard sanitizer applied to page titles, executable tags are filtered out: https://test.wikidata.org/w/index.php?title=Q144&action=history
I think this has been fixed in the mean time.
(In reply to Bene* from comment #3) > I think this has been fixed in the mean time. No. Have a look at the linked page: edit summary of the first revision says "Created a new item: 1 & 2" but the heading is "Revision history of "1 & 2" (Q142)". Obviously they don't match: either one side overescaped the label once, or another side failed to do an escape.
Hmm I should try a new item as existing summaries are not dynamically generated, but the result is the same: https://test.wikidata.org/w/index.php?title=Q785&action=history
Oh, I was referring to your comment #1 > Including: (1) <h1> title, (2) <title> title, (3) edit summary. Only the edit summary still has issues which I didn't notice.