Thank you for your recent tagging to Extension pages for XSS vulnerabilities in a couple of extensions.
If you havn't already, it would be fantastic if you could file documentation about the vulnerabilities as a security task in our bug tracking system, Phabricator so that these can be looked at and reviewed.
I added a task for the one repository, MsCalendar. As Extension:RecentPages is not in WMF tracking, I feel it would be irresponsible of me to disclose the nature of the vulnerability to a third party such as the WMF.
Just to clarify, have you notified Nathan Larson in some off wiki manner of the issue? (He's banned on wiki, but the extension seems to be developed on github so there's potential for him to fix it).