Manual:$wgUseXssLanguage

Details
Whether to enable the x-xss language code, used to make checking for issues more convenient.

When this feature is enabled, the language code can be selected via the URL parameter. In this fake language, every message becomes a simulated cross-site scripting attack, trying to run  JavaScript code; this simulates an attacker who can change individual messages (e.g. an  who can edit the ). If any alert is shown in the browser, then the corresponding message was not escaped correctly; either the code using the message needs to be fixed, or the message key should be added to .