As surfaced via `mwext-php72-phan-seccheck-docker` in https://gerrit.wikimedia.org/r/578566, the #phan-taint-check-plugin finds a {icon exclamation-triangle color=red} SecurityCheck-XSS warning within `includes/GlobalBlockingHooks.php` within the GlobalBlocking extension. This appears to be a **false positive** as both of the suspect `Html::rawElement` (lines [[ https://gerrit.wikimedia.org/g/mediawiki/extensions/GlobalBlocking/+/44827bb96cd5a36426bf32965d9fa48d68f557c9/includes/GlobalBlockingHooks.php#188 | 188 ]], [[ https://gerrit.wikimedia.org/g/mediawiki/extensions/GlobalBlocking/+/44827bb96cd5a36426bf32965d9fa48d68f557c9/includes/GlobalBlockingHooks.php#191 | 191 ]]) seem fine:
# The strings on line 189 are hard-coded html class attributes
# The strings on line 190 are sent to `parseAsBlock()`
# The `Html::rawElement` call on line 191 comes from [[ https://gerrit.wikimedia.org/g/mediawiki/extensions/GlobalBlocking/+/44827bb96cd5a36426bf32965d9fa48d68f557c9/includes/specials/GlobalBlockListPager.php#15 | GlobalBlockListPager::formatRow() ]] whose return value appears ok from a quick pass through the function. (all data sent to `parse()`, other data sent to `text()` should be harmless and `Linker::commentBlock()` should be fine here.)
Therefore, `GlobalBlockingHooks::onSpecialContributionsBeforeMainOutput()` should be safe and warrant the appropriate comment directive suppression.