From d44534bf812512daa9d5a3b68d0ef7928def99b8 Mon Sep 17 00:00:00 2001
From: Adam Wathan <adam.wathan@gmail.com>
Date: Fri, 7 Jul 2017 12:13:45 -0400
Subject: [PATCH] Don't escape label contents

Trying to protect against XSS in the case that someone is using
user input for label contents is not worth the trade-off of disallowing
users of the library to customize the HTML contents of their labels.

If you are using user input in your labels, I recommend escaping
that data manually before including it in your label.
---
 src/AdamWathan/Form/Elements/Label.php | 4 ++--
 tests/LabelTest.php                    | 8 --------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/src/AdamWathan/Form/Elements/Label.php b/src/AdamWathan/Form/Elements/Label.php
index a2b23ae..8acdb24 100644
--- a/src/AdamWathan/Form/Elements/Label.php
+++ b/src/AdamWathan/Form/Elements/Label.php
@@ -20,13 +20,13 @@ public function render()
         $tags = [sprintf('<label%s>', $this->renderAttributes())];
 
         if ($this->labelBefore) {
-            $tags[] = $this->escape($this->label);
+            $tags[] = $this->label;
         }
 
         $tags[] = $this->renderElement();
 
         if (! $this->labelBefore) {
-            $tags[] = $this->escape($this->label);
+            $tags[] = $this->label;
         }
 
         $tags[] = '</label>';
diff --git a/tests/LabelTest.php b/tests/LabelTest.php
index dc0701d..d419971 100644
--- a/tests/LabelTest.php
+++ b/tests/LabelTest.php
@@ -75,12 +75,4 @@ public function testCanRetrieveElement()
         $result = $label->after($element)->getControl();
         $this->assertEquals($element, $result);
     }
-
-    public function testAgainstXssAttacksInLabel()
-    {
-        $label = new Label('<script>alert("xss")</script>');
-        $expected = '<label>&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;</label>';
-        $result = $label->render();
-        $this->assertEquals($expected, $result);
-    }
 }