In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML. References: https://phabricator.wikimedia.org/T268894 https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1909228]
External References: https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html