- if ( $this->format === 'plain' || $this->format === 'text' ) {
- return '<' . $this->key . '>';
- }
- return '<' . htmlspecialchars( $this->key ) . '>';
+ // Err on the side of safety, ensure that the output
+ // is always html safe in the event the message key is
+ // missing, since in that case its highly likely the
+ // message key is user-controlled.
+ // '⧼' is used instead of '<' to side-step any
+ // double-escaping issues.
+ return '⧼' . htmlspecialchars( $this->key ) . '⧽';