HTML Reporter: Fix encoding of label for urlConfig multi-value item

Cherry-picked from de3a37d (3.0.0-dev)

> When QUnit.config.urlConfig is used to create a multi-value option
> (rather than string, as is more common), then `val.label` was not
> escaped, which meant that if labels were to contain mention of an
> HTML tag or otherwise contain "<" and ">",
> these could glitch and break part of the toolbar rendering.
> This is unlikely to be exploitable, e.g. not controlled by
> URL parameters, and generally populated with literals. Even dynamic
> menus that feed dropdown contents from external input are fine,
> since this affects the top-level label only.

src/html-reporter/html.js

@@ -137,7 +137,7 @@ const stats = {
           " title='" + escapedTooltip + "' />" + escapeText(val.label) + '</label>';
       } else {
         urlConfigHtml += "<label for='qunit-urlconfig-" + escaped +
-          "' title='" + escapedTooltip + "'>" + val.label +
+          "' title='" + escapedTooltip + "'>" + escapeText(val.label) +
           ": </label><select id='qunit-urlconfig-" + escaped +
           "' name='" + escaped + "' title='" + escapedTooltip + "'><option></option>";