Some examples: Exceptions, action=raw, load.php, etc.
As a precaution, it wouldn't hurt for us to send a really restrictive CSP (e.g. default-src 'self'; script-src 'none'; object-src 'none' ) as a paranoia measure for such output. There should be no active html in such a case, so it shouldn't hurt anything.
Not counting: things that output images [its a bit more complex with svg and pdf], RSS [I don't know how this interact with embedded html snippets]