abp-select tagHelper's label property should be encode (XSS)

[rainmakerho]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I try abp-select example and add label property.

public class MySimpleModalModel : AbpPageModel
    {
        public string Message { get; set; } = "<b>hello</b>";
        public string City { get; set; }
        public List<SelectListItem> CityList { get; set; } = new List<SelectListItem>
        {
            new SelectListItem { Value = "NY", Text = "<b>New York</b>"},
            new SelectListItem { Value = "LDN", Text = "London"},
            new SelectListItem { Value = "IST", Text = "Istanbul"},
            new SelectListItem { Value = "MOS", Text = "Moscow"}
        };

        public void OnGet(int productId)
        {
            //Message = $"Hello productId:<b>{productId}</b>!";
        }
    }

@page
@model ProductManagement.Web.Pages.MySimpleModalModel
@{
    Layout = null;
}
<abp-modal>
    <abp-modal-header title="My Header"></abp-modal-header>
    <abp-modal-body>
        <abp-select asp-for="@Model.City" asp-items="@Model.CityList" label="@Model.Message" />
    </abp-modal-body>
    <abp-modal-footer buttons="Close"></abp-modal-footer>
</abp-modal>

I think label should be encode (<b>hello</b>) but it's not (hello).

Describe the solution you'd like

I would like to see <b>hello</b>

Additional context

I think this will cause XSS issue