Make sure label text is escaped if it is not safe

Signed-off-by: Rafael Mendonça França <rafaelmfranca@gmail.com>

lib/simple_form/components/labels.rb

@@ -2,6 +2,7 @@ module SimpleForm
   module Components
     module Labels
       extend ActiveSupport::Concern
+      include ERB::Util
 
       module ClassMethods #:nodoc:
         def translate_required_html
@@ -30,7 +31,7 @@ module SimpleForm
       end
 
       def label_text
-        SimpleForm.label_text.call(raw_label_text, required_label_text).strip.html_safe
+        SimpleForm.label_text.call(html_escape(raw_label_text), required_label_text).strip.html_safe
       end
 
       def label_target

test/form_builder/label_test.rb

@@ -29,6 +29,16 @@ class LabelTest < ActionView::TestCase
     assert_select 'label.string.required[for=validating_user_name]', /Name/
   end
 
+  test 'builder should escape label text' do
+    with_label_for @user, :name, label: '<script>alert(1337)</script>', required: false
+    assert_select 'label.string', "&lt;script&gt;alert(1337)&lt;/script&gt;"
+  end
+
+  test 'builder should not escape label text if it is safe' do
+    with_label_for @user, :name, label: '<script>alert(1337)</script>'.html_safe, required: false
+    assert_select 'label.string script', "alert(1337)"
+  end
+
   test 'builder should allow passing options to label tag' do
     with_label_for @user, :name, label: 'My label', id: 'name_label'
     assert_select 'label.string#name_label', /My label/