Following up on the work being done for T45646, I've identified the following raw HTML messages in WMF-deployed extensions:
- some raw <a> tags can be seen in the i18n file, I haven't gone through to check which other messages are raw HTML
- all help messages (wikieditor-toolbar-help-*)
- all titles of jQuery UI dialogs (wikieditor-toolbar-tool-*-title)
- MediaWiki:Gadgets-definition (and possibly others?)
These messages should be added to the raw HTML messages list in extension.json, support for which is being added by @Tgr in his patch.
Needless to say, this list is not exhaustive. There are probably many other raw HTML messages, and a proper audit should be done. Perhaps @Bawolff, who wrote phan-taint-check-plugin, might have thoughts on this?