Escape HTML in uploaded image filenames.

Fixes #1293.

wagtail/wagtailadmin/static/wagtailadmin/js/core.js

@@ -7,6 +7,18 @@ function addMessage(status, text) {
     }, 100);
 }
 
+function escapeHtml(text) {
+  var map = {
+    '&': '&',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#039;'
+  };
+
+  return text.replace(/[&<>"']/g, function(m) { return map[m]; });
+}
+
 $(function() {
     // Add class to the body from which transitions may be hung so they don't appear to transition as the page loads
     $('body').addClass('ready');

wagtail/wagtailimages/static/wagtailimages/js/add-multiple.js

@@ -38,7 +38,7 @@ $(function() {
             }).always(function() {
                 data.context.removeClass('processing');
                 data.context.find('.left').each(function(index, elm) {
-                    $(elm).append(data.files[index].name);
+                    $(elm).append(escapeHtml(data.files[index].name));
                 });
 
                 data.context.find('.preview .thumb').each(function(index, elm) {