I posted a patch for testing on the currently non-public Phabricator ticket about a couple weeks ago. Nobody's commented on it so far, so if no-one comments on it and points out obvious issues (not that I saw any, but it's been a while since I actually worked on it), I'll probably just commit it and +2 it myself by the end of the year or so.
That said, the issues aren't really that big. An actual security engineer told me once that CSRF issues aren't much of a big deal with modern browsers anymore and the "XSS" possibility is basically "some messages accept raw HTML (but they probably shouldn't)" ā problematic if and when you don't trust the people with the wikiforum-admin user right, but if you do trust the users with that right, then it's unlikely to be an issue. Really, it's like with the editinterface user right in general: be careful about who you hand it out to and you'll be fine.