The HTMLForm library doesn't escape the input of the help key by default. Is this intended behavior?
For example, the following form descriptor using an interface message through wfMessage()->text() is an XSS vector.
$formDescriptor= [ 'simpletextfield' => [ 'label' => 'Simple Text Field', 'class' => 'HTMLTextField', 'help' => wfMessage( 'myextension-mymessage' )->text(), // not escaped by HTMLForm, XSS! ] ]
We should rename the key to be help-raw, so users know it is a raw key. We should mark the old key name deprecated but keep it around for a transition period.
Afterwards we should adjust phan-taint-check to make sure it recognizes the new key name.
If you are fixing this, you probably need to edit (the comment in) includes/htmlform/HTMLForm.php and includes/htmlform/HTMLFormField.php as well as mentioning the deprecation in RELEASE-NOTES