If the developer setting $wgUseXssLanguage is set to true, then an “x-xss”
language code becomes available and can be selected with *?uselang=x-xss*
in the URL. When using this language code, all messages become “malicious”:
every message is replaced by a snippet of HTML that tries to run alert('
*message-key*').

Clever feature - this will be great for testing. Thank you!

-Yaron

WikiWorks · MediaWiki Consulting · http://wikiworks.com