In a parser tag hook:
return wfMessage( 'rss-error', htmlspecialchars( $input ), Status::wrap( $status )->getWikitext() )->text();
There's one more phan-taint-check-plugin warning that I can't tell if it's legit or not. I think I remember @Bawolff saying that reusing variables (like in RSSParser::renderFeed()) confuses the plugin.
<checkstyle version="6.5"> <file name="./RSSHooks.php"> <error line="86" severity="warning" message="Outputting user controlled HTML from Parser tag hook \RSSHooks::renderRss" source="SecurityCheck-XSS"/> <error line="95" severity="warning" message="Outputting user controlled HTML from Parser tag hook \RSSHooks::renderRss (Caused by: ./RSSParser.php +374; ./RSSParser.php +363; ./RSSParser.php +368)" source="SecurityCheck-XSS"/> </file> </checkstyle>