Yeah, that's true. We also always use the RETURN_DOM_FRAGMENT / RETURN_DOM options, which avoids the issue according to the article (I don't think we serialize/reparse the output anywhere ourselves). And also, we forbid the 'style' tag, which seems to be required by the exploits (although that is just a lucky coincidence).

https://github.com/wikimedia/VisualEditor/blob/master/src/ve...