diff --git a/composer.json b/composer.json
index 494cef7dc..4d783ffad 100644
--- a/composer.json
+++ b/composer.json
@@ -10,7 +10,7 @@
 	},
 	"require-dev": {
 		"mediawiki/mediawiki-codesniffer": "31.0.0",
-		"mediawiki/mediawiki-phan-config": "0.9.1",
+		"mediawiki/mediawiki-phan-config": "0.10.2",
 		"mediawiki/minus-x": "1.0.0",
 		"php-parallel-lint/php-console-highlighter": "0.5.0",
 		"php-parallel-lint/php-parallel-lint": "1.2.0"
@@ -25,8 +25,5 @@
 			"phpcs -p -s",
 			"minus-x check ."
 		]
-	},
-	"extra": {
-		"phan-taint-check-plugin": "2.0.1"
 	}
 }
diff --git a/includes/AbuseFilter.php b/includes/AbuseFilter.php
index 5bd799194..820649fff 100644
--- a/includes/AbuseFilter.php
+++ b/includes/AbuseFilter.php
@@ -1571,7 +1571,7 @@ class AbuseFilter {
 
 	/**
 	 * @param string $action
-	 * @return string
+	 * @return string HTML
 	 */
 	public static function getActionDisplay( $action ) {
 		// Give grep a chance to find the usages:
@@ -1579,7 +1579,7 @@ class AbuseFilter {
 		// abusefilter-action-blockautopromote, abusefilter-action-block, abusefilter-action-degroup,
 		// abusefilter-action-rangeblock, abusefilter-action-disallow
 		$display = wfMessage( "abusefilter-action-$action" )->escaped();
-		$display = wfMessage( "abusefilter-action-$action", $display )->isDisabled()
+		$display = wfMessage( "abusefilter-action-$action" )->rawParams( $display )->isDisabled()
 			? htmlspecialchars( $action )
 			: $display;
 
diff --git a/includes/AbuseLogHitFormatter.php b/includes/AbuseLogHitFormatter.php
index a2fbb284d..df0d04402 100644
--- a/includes/AbuseLogHitFormatter.php
+++ b/includes/AbuseLogHitFormatter.php
@@ -40,11 +40,11 @@ class AbuseLogHitFormatter extends LogFormatter {
 			) );
 		}
 
-		$actions_taken = $entry['actions'];
-		if ( !strlen( trim( $actions_taken ) ) ) {
+		$actions_takenRaw = $entry['actions'];
+		if ( !strlen( trim( $actions_takenRaw ) ) ) {
 			$actions_taken = $this->msg( 'abusefilter-log-noactions' );
 		} else {
-			$actions = explode( ',', $actions_taken );
+			$actions = explode( ',', $actions_takenRaw );
 			$displayActions = [];
 
 			foreach ( $actions as $action ) {
@@ -52,7 +52,7 @@ class AbuseLogHitFormatter extends LogFormatter {
 			}
 			$actions_taken = $this->context->getLanguage()->commaList( $displayActions );
 		}
-		$params[5] = $actions_taken;
+		$params[5] = Message::rawParam( $actions_taken );
 
 		// Bad things happen if the numbers are not in correct order
 		ksort( $params );
diff --git a/includes/Views/AbuseFilterView.php b/includes/Views/AbuseFilterView.php
index e3b2236ab..fc916193d 100644
--- a/includes/Views/AbuseFilterView.php
+++ b/includes/Views/AbuseFilterView.php
@@ -237,7 +237,7 @@ abstract class AbuseFilterView extends ContextSource {
 
 	/**
 	 * @param IDatabase $db
-	 * @param string|bool $action 'edit', 'move', 'createaccount', 'delete' or false for all
+	 * @param string|false $action 'edit', 'move', 'createaccount', 'delete' or false for all
 	 * @return string
 	 */
 	public function buildTestConditions( IDatabase $db, $action = false ) {
@@ -279,6 +279,7 @@ abstract class AbuseFilterView extends ContextSource {
 				// Done later
 				break;
 			default:
+				// @phan-suppress-next-line PhanTypeSuspiciousStringExpression False does not reach here
 				throw new MWException( __METHOD__ . ' called with invalid action: ' . $action );
 		}
 
diff --git a/includes/special/SpecialAbuseLog.php b/includes/special/SpecialAbuseLog.php
index 8ed16bc7e..9d1db75b6 100644
--- a/includes/special/SpecialAbuseLog.php
+++ b/includes/special/SpecialAbuseLog.php
@@ -1079,13 +1079,13 @@ class SpecialAbuseLog extends AbuseFilterSpecialPage {
 			$userLink .= ' (' . WikiMap::getWikiName( $row->afl_wiki ) . ')';
 		}
 
-		$timestamp = $lang->timeanddate( $row->afl_timestamp, true );
+		$timestamp = htmlspecialchars( $lang->timeanddate( $row->afl_timestamp, true ) );
 
-		$actions_taken = $row->afl_actions;
-		if ( !strlen( trim( $actions_taken ) ) ) {
+		$actions_takenRaw = $row->afl_actions;
+		if ( !strlen( trim( $actions_takenRaw ) ) ) {
 			$actions_taken = $this->msg( 'abusefilter-log-noactions' )->escaped();
 		} else {
-			$actions = explode( ',', $actions_taken );
+			$actions = explode( ',', $actions_takenRaw );
 			$displayActions = [];
 
 			foreach ( $actions as $action ) {
@@ -1158,7 +1158,7 @@ class SpecialAbuseLog extends AbuseFilterSpecialPage {
 				$timestamp,
 				$userLink,
 				$filterLink,
-				$row->afl_action,
+				htmlspecialchars( $row->afl_action ),
 				$pageLink,
 				$actions_taken,
 				$escaped_comments,
@@ -1173,7 +1173,7 @@ class SpecialAbuseLog extends AbuseFilterSpecialPage {
 			$description = $this->msg( $msg )->rawParams(
 				$timestamp,
 				$userLink,
-				$row->afl_action,
+				htmlspecialchars( $row->afl_action ),
 				$pageLink,
 				$actions_taken,
 				$escaped_comments,