Filing as a security out of caution.
I spent a while trying to track down the final phan-taint-check-plugin failures in CheckUser, and tracked it down to Linker::formatLinksInComment(). I wasn't really able to narrow it down farther than that, it seemed to be complaining about the regex itself.
I would appreciate a review of the function by someone other than myself before I add @return-taint escaped to it.
This is a false positive in the plugin.