One of the faulty lines has

echo $GLOBALS['wgOut']->parseAsContent( '{{:' . $t . '}}' );

so it may or may not be a false positive. We'd have to check thoroughly.

Of note, it didn't happen before just because gate-and-submit only had mediawiki-i18n-check-docker. The other jobs (seccheck included) were added later (although apparently they were in layout.yaml already...)

Apparently these are false positives, hence I'm going to suppress them. I didn't investigate why seccheck is reporting those. Considering the following (simplified) snippet:

$title_string = wfMessage( 'coll-failed_collection_info_text_article' )->inContentLanguage()->text();
$t = Title::newFromText( $title_string );
echo $GLOBALS['wgOut']->parseAsContent( '{{:' . $t . '}}' );

Almost surely, taint-check is (correctly) assuming that $title_string is unsafe. Then, one or both of the following are likely happening:

• taint-check sees a superglobal ($GLOBALS) which is tainted, and for some reason it's propagating that taintedness to the return value
• taint-check is not seeing that OutputPage::parseAsContent HTML-escapes the string

At any rate, it's not worth investigating until we'll release taint-check 3.0 (at least).

Change 542083 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/Collection@master] Suppress taint-check false positives

https://gerrit.wikimedia.org/r/542083

Change 542083 merged by jenkins-bot:
[mediawiki/extensions/Collection@master] Suppress taint-check false positives

https://gerrit.wikimedia.org/r/542083

Thank you!