Issue #2512478 by googletorp, pwolanin, G1N1: XSS on field edit form via label field via ckeditor

core/modules/ckeditor/js/ckeditor.js

@@ -30,7 +30,7 @@
       // Set a title on the CKEditor instance that includes the text field's
       // label so that screen readers say something that is understandable
       // for end users.
-      var label = $('label[for=' + element.getAttribute('id') + ']').text();
+      var label = $('label[for=' + element.getAttribute('id') + ']').html();
       format.editorSettings.title = Drupal.t("Rich Text Editor, !label field", {'!label': label});
 
       // CKEditor initializes itself in a read-only state if the 'disabled'