The message tutorial-popup-text3 in the SearchVue extension currently says:

You can turn previews on and off in the <a href="$1" target="_blank">search preferences</a>.

It includes HTML code. All translations that include <a href must be reviewed manually for security reasons (see the parent task), which is time-consuming and error-prone.

For example, this happened in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SearchVue/+/1018531. Here's the CI output:

+ contains_disallowed_html log/additions.txt
+ cat log/additions.txt
+ sed -E -e 's/<\/? ?(abbr|b|bdi|big|br|charinsert|citation|code|dd|del|div|dl|dt|em|h1|h2|h3|h4|hr|i|kbd|li|mark|math|NDL|nowiki|ol|p|page|pagelist|pages|pre|ref|samp|small|span|strong|sub|sup|syntaxhighlight|templatedata|templatestyles|tt|u|ul|user|var)( ((alttext|class|dir|display|id|lang|title|xml:lang|xmlns)=\\?["'\''][^=<>"'\'']*\\?["'\'']))* ?\/?>//g' -e 's/<!--//g' -e 's/<https?:\/\/[a-zA-Z0-9./-]*>//g'
+ grep '<'
+	"tutorial-popup-text3": "Ви можете вмикати та вимикати попередній перегляд у <a href=\"$1\" target=\"_blank\">налаштуваннях пошуку</a>.",
+ echo 'HTML detected. Manual review required'
HTML detected. Manual review required

In addition, this code is the same in all the languages, and translators shouldn't have to just copy it.

It would be great to remove this code from the message entirely. A good solution is to move the "search preferences" part into another message, then wrap it in the HTML element in the JS code, and insert everything into the main message as a parameter. In fact, it was kind of like that before T338212, but the messages were concatenated in run time and not inserted as a parameter, which is a bad practice (known as "lego" in localization jargon). Restoring the two messages, but inserting them correctly and not as concatenation, is a good thing to do.