prevent xss attack in Select2 select menu

styles/bootstrap/application.js

@@ -1,10 +1,15 @@
-/* Template function which outputs an option in a chzn-select */
+/* Template function which outputs an option in a chzn-select
+ * The replace() call is required to prevent xss attacks (see CVE-2019-12745)
+ * Using htmlspecialchars() in php isn't sufficient because, chzn_template_func
+ * will receive an unescaped string
+ * (see https://forums.select2.org/t/propperly-escape-option-value-to-prevent-xss/788)
+ */
 chzn_template_func =  function (state) {
 	var subtitle = $(state.element).data('subtitle');
 	var warning = $(state.element).data('warning');
-	var html = '<span>'+state.text+'';
+	var html = '<span>'+state.text.replace(/</g, '&lt;')+'';
 	if(subtitle)
-		html += '<br /><i>'+subtitle+'</i>';
+		html += '<br /><i>'+subtitle.replace(/</g, '&lt;')+'</i>';
 	if(warning)
 		html += '<br /><span class="label label-warning"><i class="icon-warning-sign"></i></span> '+warning+'';
 	html += '</span>';
@@ -38,7 +43,8 @@ $(document).ready( function() {
 
 	$(".chzn-select").select2({
 		width: '100%',
-		templateResult: chzn_template_func
+		templateResult: chzn_template_func,
+		templateSelection: chzn_template_func
 	});
 
 	/* change the color and length of the bar graph showing the password