MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later. References: https://phabricator.wikimedia.org/T268938 https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1909238]
External References: https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html