luci-base: ui.js: HTML escape custom dropdown values

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/modules/luci-base/htdocs/luci-static/resources/ui.js b/modules/luci-base/htdocs/luci-static/resources/ui.js
index bff717eb8ebfdc3767520112b509eabbef78c1db..e47e11b1cddd8dacdef4977f6e7f9bf51feefada 100644 (file)
--- a/modules/luci-base/htdocs/luci-static/resources/ui.js
+++ b/modules/luci-base/htdocs/luci-static/resources/ui.js
@@ -879,7 +879,7 @@ var UIDropdown = UIElement.extend({
                                else
                                        markup = '<li data-value="{{value}}">{{value}}</li>';
 
-                               new_item = E(markup.replace(/{{value}}/g, item));
+                               new_item = E(markup.replace(/{{value}}/g, '%h'.format(item)));
 
                                if (sbox.options.multiple) {
                                        sbox.transformItem(sb, new_item);