Relevant code:
Html::rawElement( 'li', [ 'class' => htmlspecialchars( $url['class'] ) ], Html::rawElement( 'a', [ 'href' => htmlspecialchars( $url['href'] ) ], $url['text'] ) );
Attributes are automatically escaped, so they don't need to be explicitly escaped.
<checkstyle version="6.5"> <file name="./RelatedSites.class.php"> <error line="143" severity="warning" message="Calling method \Html::rawElement() in \RelatedSites::onSidebarBeforeOutput that outputs using tainted argument $[arg #2]." source="SecurityCheck-DoubleEscaped"/> <error line="144" severity="warning" message="Calling method \Html::rawElement() in \RelatedSites::onSidebarBeforeOutput that outputs using tainted argument $[arg #2]." source="SecurityCheck-DoubleEscaped"/> <error line="145" severity="warning" message="Calling method \Html::rawElement() in \RelatedSites::onSidebarBeforeOutput that outputs using tainted argument $[arg #2]." source="SecurityCheck-DoubleEscaped"/> </file> </checkstyle>