From 5ae77b111e97e9f5e2017a707c1a6587f29dba8d Mon Sep 17 00:00:00 2001
From: Arun Srinivasan <arun@getharvest.com>
Date: Thu, 7 Jun 2018 15:50:39 -0700
Subject: [PATCH] Escape the item's `group_label` when rendering it.

---
 coffee/lib/abstract-chosen.coffee | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/coffee/lib/abstract-chosen.coffee b/coffee/lib/abstract-chosen.coffee
index d53c968fb81..e15282bee53 100644
--- a/coffee/lib/abstract-chosen.coffee
+++ b/coffee/lib/abstract-chosen.coffee
@@ -51,7 +51,7 @@ class AbstractChosen
 
   choice_label: (item) ->
     if @include_group_label_in_selected and item.group_label?
-      "<b class='group-name'>#{item.group_label}</b>#{item.html}"
+      "<b class='group-name'>#{this.escape_html(item.group_label)}</b>#{item.html}"
     else
       item.html