Would be nice to add phan-taint-check-plugin to Translate extensions
<?xml version="1.0" encoding="ISO-8859-15"?> <checkstyle version="6.5"> <file name="./specials/SpecialTranslationStats.php"> <error line="208" severity="warning" message="Calling method \Html::element() in \SpecialTranslationStats::form that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Html::element) (Caused by: ./specials/SpecialTranslationStats.php +199; ./specials/SpecialTranslationStats.php +203; ./specials/SpecialTranslationStats.php +206)" source="SecurityCheck-DoubleEscaped"/> <error line="209" severity="warning" message="Calling method \Html::element() in \SpecialTranslationStats::form that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Html::element) (Caused by: ./specials/SpecialTranslationStats.php +199; ./specials/SpecialTranslationStats.php +203; ./specials/SpecialTranslationStats.php +206)" source="SecurityCheck-DoubleEscaped"/> <error line="210" severity="warning" message="Calling method \Html::element() in \SpecialTranslationStats::form that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Html::element) (Caused by: ./specials/SpecialTranslationStats.php +199; ./specials/SpecialTranslationStats.php +203; ./specials/SpecialTranslationStats.php +206)" source="SecurityCheck-DoubleEscaped"/> </file> <file name="./tag/PageTranslationLogFormatter.php"> <error line="77" severity="warning" message="Calling method \LogFormatter::getComment in \PageTranslationLogFormatter::getComment that is always unsafe (Caused by: ../../includes/logging/LogFormatter.php +706; ../../includes/logging/LogFormatter.php +703)" source="SecurityCheck-DoubleEscaped"/> </file> <file name="./utils/MessageWebImporter.php"> <error line="362" severity="warning" message="Calling method \OutputPage::addHTML() in \MessageWebImporter::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./utils/MessageWebImporter.php +293; ./utils/MessageWebImporter.php +281; ./utils/MessageWebImporter.php +301; ./utils/MessageWebImporter.php +361)" source="SecurityCheck-XSS"/> <error line="376" severity="warning" message="Calling method \OutputPage::addHTML() in \MessageWebImporter::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./utils/MessageWebImporter.php +293; ./utils/MessageWebImporter.php +281; ./utils/MessageWebImporter.php +301; ./utils/MessageWebImporter.php +361)" source="SecurityCheck-XSS"/> </file> </checkstyle>
Issues in PageTranslationLogFormatter.php is T201565