Escape the item's group_label when rendering it.

harvesthq · Jun 7, 2018 · 0fec73f · 0fec73f
1 parent adad970
commit 0fec73f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/coffee/lib/abstract-chosen.coffee b/coffee/lib/abstract-chosen.coffee
@@ -51,7 +51,7 @@ class AbstractChosen
 
  choice_label: (item) ->
  if @include_group_label_in_selected and item.group_label?
- "<b class='group-name'>#{item.group_label}</b>#{item.html}"
+ "<b class='group-name'>#{this.escape_html(item.group_label)}</b>#{item.html}"
  else
  item.html