As surfaced via mwext-php72-phan-seccheck-docker in https://gerrit.wikimedia.org/r/578566, the phan-taint-check-plugin finds a SecurityCheck-XSS warning within includes/GlobalBlockingHooks.php within the GlobalBlocking extension. This appears to be a false positive as both of the suspect Html::rawElement (lines 188, 191) seem fine:
- The strings on line 189 are hard-coded html class attributes
- The strings on line 190 are sent to parseAsBlock()
- The Html::rawElement call on line 191 accepts data from GlobalBlockListPager::formatRow() whose return value appears ok from a quick look at the function. (all string data sent to parse(), other string data sent to text()
shouldmight not be harmless and Linker::commentBlock()'s output should be fine here.)
Therefore, includes/specials/GlobalBlockListPager.php GlobalBlockingHooks::onSpecialContributionsBeforeMainOutput() should be safe and warrant the appropriate comment directive suppression likely has a lightweight XSS that should be mitigated by https://gerrit.wikimedia.org/r/579003.