starcitizentools/citizen-skin allows stored XSS in user registration date message

Summary Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. Details The result of $this-lang-userDate $timestamp, $this-user returns unescaped values, but is inserted as raw HTML by...