RCFilters: HTML-escape tag names in filter capsules

Bug: T178975
Change-Id: I9544a675fa2801bdb5d7de3ebd162a4214de740f

diff --git a/resources/src/mediawiki.rcfilters/dm/mw.rcfilters.dm.ItemModel.js b/resources/src/mediawiki.rcfilters/dm/mw.rcfilters.dm.ItemModel.js
index d940321..2b5d020 100644 (file)
--- a/resources/src/mediawiki.rcfilters/dm/mw.rcfilters.dm.ItemModel.js
+++ b/resources/src/mediawiki.rcfilters/dm/mw.rcfilters.dm.ItemModel.js
@@ -83,12 +83,13 @@
         * Get a prefixed label
         *
         * @param {boolean} inverted This item should be considered inverted
-        * @return {string} Prefixed label
+        * @return {string} Prefixed label (HTML)
         */
        mw.rcfilters.dm.ItemModel.prototype.getPrefixedLabel = function ( inverted ) {
+               var escapedLabel = mw.html.escape( this.getLabel() );
                if ( this.labelPrefixKey ) {
                        if ( typeof this.labelPrefixKey === 'string' ) {
-                               return mw.message( this.labelPrefixKey, this.getLabel() ).parse();
+                               return mw.message( this.labelPrefixKey, escapedLabel ).parse();
                        } else {
                                return mw.message(
                                        this.labelPrefixKey[
@@ -97,11 +98,11 @@
                                                inverted && this.isSelected() ?
                                                        'inverted' : 'default'
                                        ],
-                                       this.getLabel()
+                                       escapedLabel
                                ).parse();
                        }
                } else {
-                       return this.getLabel();
+                       return escapedLabel;
                }
        };