Following up on the work being done for T45646, I've identified the following raw HTML messages in WMF-deployed extensions:
[ ] WikimediaMessages
[x] wikimedia-mobile-license-links
[x] wikimedia-copyright
[x] wikidata-copyright
[x] wikimedia-feedback-termsofuse
[ ] //Others?//
[ ] JsonConfig
[x] jsonconfig-license
[ ] //Others?//
[ ] TimedMediaHandler
[ ] some raw <a> tags can be seen in [[https://gerrit.wikimedia.org/g/mediawiki/extensions/TimedMediaHandler/+/master/MwEmbedModules/EmbedPlayer/i18n/en.json|the i18n file]], I haven't gone through to check which other messages are raw HTML
[ ] //Others?//
[ ] WikiEditor
[ ] all help messages (wikieditor-toolbar-help-*)
[ ] all titles of jQuery UI dialogs (wikieditor-toolbar-tool-*-title)
[ ] //Others?//
[ ] Gadgets
[ ] MediaWiki:Gadgets-definition (and possibly others?)
[ ] //Others?//
These messages should be added to the raw HTML messages list in extension.json, support for which is being added by @Tgr in his patch.
Needless to say, this list is not exhaustive. There are probably many other raw HTML messages, and a proper audit should be done. Perhaps @Bawolff, who wrote #phan-taint-check-plugin, might have thoughts on this?