Unescaped entity property enables Javascript injection.
I think this is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed.
persistent XSS. JS can be injected and executed.