Drupal\field_ui\DisplayOverview takes the definitions of extra fields, and runs the label through check_plain():
$extra_fields = field_info_extra_fields($this->entity_type, $this->bundle, 'display');
// SNIP
'human_name' => array(
'#markup' => check_plain($extra_field['label']),
),However, the documentation and the sample code for the hook that defines the label, http://api.drupal.org/api/drupal/core!modules!field!field.api.php/function/hook_field_extra_fields/8, implies that it's the hook's responsibility to sanitize this:
> label: The human readable name of the element.
'Human labels' are usually sanitized text, I think. And the sample code has:
$extra['node'][$bundle->type]['display']['language'] = array(
'label' => t('Language'),
'description' => $description,
'weight' => 0,
'visible' => FALSE,
);The problem with the user running check_plain() is that the '%' placeholder can't be used in the call to t() for emphasis.
For example, with Flag module, I'd like to say: "Flag %user-entered-label".