mkroetzsch
commented
6 years ago Note that Q4115189 can best be used to test this. I already inserted some HTML entities there and we can see a lack of escaping. The current behaviour suggests that a simple escaping alon ghte lines of https://stackoverflow.com/questions/6234773/can-i-escape-html-special-chars-in-javascript when applied ot all strings before output would work correctly.
Book titles like https://tools.wmflabs.org/sqid/#/view?id=Q43981055 show some Javascript popup, this shouldn't be possible and is quite some security issue.