MDL-67637 core_message: only preview lastmessage text if safe to do so

If any html/script tags are found in the text() value, don't display it.

message/amd/src/message_drawer_view_overview_section.js

@@ -223,9 +223,12 @@ function(
                 // If that's not possible, we'll report it under the catch-all 'other media'.
                 var messagePreview = $(lastMessage.text).text();
                 if (messagePreview) {
+                    // The text value of the message must have no html/script tags.
+                    if (messagePreview.indexOf('<') == -1) {
                         return messagePreview;
                     }
                 }
+            }
 
             // As a fallback, report unknowns as 'other media' type content.
             var pix = 'i/messagecontentmultimediageneral';