From 2cddc4dd54c2b03390ed3e3149b3d96de2b1168f Mon Sep 17 00:00:00 2001
From: Roan Kattouw <roan.kattouw@gmail.com>
Date: Wed, 25 Oct 2017 14:39:05 +0530
Subject: [PATCH] RCFilters: HTML-escape tag names in filter capsules

Bug: T178975
Change-Id: I9544a675fa2801bdb5d7de3ebd162a4214de740f
---
 .../mediawiki.rcfilters/dm/mw.rcfilters.dm.ItemModel.js  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/resources/src/mediawiki.rcfilters/dm/mw.rcfilters.dm.ItemModel.js b/resources/src/mediawiki.rcfilters/dm/mw.rcfilters.dm.ItemModel.js
index d940321342..2b5d020167 100644
--- a/resources/src/mediawiki.rcfilters/dm/mw.rcfilters.dm.ItemModel.js
+++ b/resources/src/mediawiki.rcfilters/dm/mw.rcfilters.dm.ItemModel.js
@@ -83,12 +83,13 @@
 	 * Get a prefixed label
 	 *
 	 * @param {boolean} inverted This item should be considered inverted
-	 * @return {string} Prefixed label
+	 * @return {string} Prefixed label (HTML)
 	 */
 	mw.rcfilters.dm.ItemModel.prototype.getPrefixedLabel = function ( inverted ) {
+		var escapedLabel = mw.html.escape( this.getLabel() );
 		if ( this.labelPrefixKey ) {
 			if ( typeof this.labelPrefixKey === 'string' ) {
-				return mw.message( this.labelPrefixKey, this.getLabel() ).parse();
+				return mw.message( this.labelPrefixKey, escapedLabel ).parse();
 			} else {
 				return mw.message(
 					this.labelPrefixKey[
@@ -97,11 +98,11 @@
 						inverted && this.isSelected() ?
 							'inverted' : 'default'
 					],
-					this.getLabel()
+					escapedLabel
 				).parse();
 			}
 		} else {
-			return this.getLabel();
+			return escapedLabel;
 		}
 	};
 
-- 
2.20.1