From @Daimona's comments on https://gerrit.wikimedia.org/r/c/mediawiki/core/+/637892/
I guess this wouldn't hurt, but two important remarks:
- taint-check doesn't check any XML-related methods; is there any security check that does?
- most importantly, is this file really useful? It seems like a big hack that might be replaced with a custom phan plugin. Furthermore, it's only used by tests/phan/bin/phan, which again seems just an old wrapper, with lots of legacy stuff, outdated options, and whatnot (as a case in point, it tries loading a config file from tests/phan/config.php, but it's been in ./phan/config.php since last year).
Nowadays you only really need 'vendor/bin/phan -d . --long-progress-bar'. We might create a 'composer phan' wrapper, but a dedicated script really seems a horrible overkill that will eventually stop working.
TL;DR: Can we just burn this file (and tests/phan/bin/phan) with fire instead?