The phan-taint-check-plugin seems to be treating output of Language->convert() as already HTML escaped. Is this correct? I tried following the code but didn't see an obvious spot where the escaping happened.
It would be good to document this in the @return for this method.