XSS Bug when using the include_group_label_in_selected option

[satchmorun]

Description

Specially crafted optgroup labels can cause code to execute if a Chosen instance is instantiated with the include_group_label_in_selected option is set to true.

Steps to reproduce

1. Instantiate a chosen instance with include_group_label_in_selected: true
2. Have the select include an optgroup with a label of </script><script>alert('hi')</script>Label (or something along those lines)
3. Choose any of the options in that optgroup, and see the alert pop up!

Demo: https://jsbin.com/xavila/edit?html,output

Expected behavior

The sneaky label's text should be escaped.

Actual behavior

The sneaky label's text can be executed as code.

Environment

• Chosen Version: 1.8.6
• jQuery Version: 3.3.1 (though it doesn't matter)
• Browser and Version: Chrome Version 66.0.3359.181
• OS and Version: macOS Sierra (10.12.6)

Additional information

Any other information you want to share that is relevant to the issue being reported. This might include the lines of code that you have identified as causing the bug, or potential solutions and workarounds.

[satchmorun]

Hopefully, I'll be able to get to a PR for this soon, but wanted to get this issue created just in case anybody else could get to it quicker.

❤️

[satchmorun]

Fix XSS vulnerability in Chosen