Merge pull request #542 from wpmudev/fix/SUI-570

🐛 fix(select2): escape script tags in select2 options.

assets/js/shared-ui/select2.js

@@ -7,11 +7,23 @@
 
 	SUI.select = {};
 
+	SUI.select.escapeJS = ( string ) => {
+
+        // Create a temporary <div> element using jQuery and set the HTML content.
+        var div = $( '<div>' ).html( string );
+
+        // Get the text content of the <div> element and remove script tags
+        var text = div.text().replace( /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '' );
+
+        // Return the escaped text
+        return text;
+    };
+
 	SUI.select.formatIcon = ( data, container ) => {
 
 		let markup;
 
-		const label = data.text;
+		const label = SUI.select.escapeJS( data.text );
 		const icon  = $( data.element ).attr( 'data-icon' );
 
 		if ( ! data.id ) {
@@ -32,7 +44,7 @@
 
 		let markup;
 
-		const label = data.text;
+		const label = SUI.select.escapeJS( data.text );
 		const icon  = $( data.element ).attr( 'data-icon' );
 
 		if ( 'undefined' !== typeof icon ) {
@@ -49,7 +61,7 @@
 
 		let markup, border;
 
-		const label = data.text;
+		const label = SUI.select.escapeJS( data.text );
 		const color = $( data.element ).attr( 'data-color' );
 
 		if ( ! data.id ) {
@@ -90,7 +102,7 @@
 
 		let markup;
 
-		const label = data.text;
+		const label = SUI.select.escapeJS( data.text );
 		const color = $( data.element ).attr( 'data-color' );
 
 		if ( 'undefined' !== typeof color ) {
@@ -127,7 +139,7 @@
 
 		let markup;
 
-		const label   = data.text;
+		const label   = SUI.select.escapeJS( data.text );
 		const content = $( data.element ).val();
 
 		if ( ! data.id ) {
@@ -148,7 +160,7 @@
 
 		let markup;
 
-		const label = data.text;
+		const label = SUI.select.escapeJS( data.text );
 
 		markup  = '<span class="sui-icon-plus-circle sui-md" aria-hidden="true"></span>';
 		markup += '<span class="sui-screen-reader-text">' + label + '</span>';