I quickly reviewed SpecialSmiteSpamTrustedUsers.php and a ton of messages are raw HTML into the form. They should be escaped.
|mediawiki/extensions/SmiteSpam||master||+14 -14||Escape raw HTML messages in SmiteSpam SpecialPages|
|Open||None||T2212 Some MediaWiki: messages not safe in HTML (tracking)|
|Open||None||T85864 Special pages, actions and views whose messages don't escape text|
|Resolved||MtDu||T152831 SmiteSpam has lots of HTML messages|
@FilipGCI, I don't think that's what happens. The %20 kind of escaping is for use in URLs (such as php's urlencode), but this is escaping for HTML (< gets converted to < and other things like that). Take a look at https://www.mediawiki.org/wiki/Manual:Messages_API#Output_modes_and_escaping.