Escape values in metric segment and sql part

public/app/core/components/sql_part/sql_part_editor.ts

@@ -109,12 +109,12 @@ export function sqlPartEditorDirective($compile, templateSrv) {
           $scope.$apply(() => {
             $scope.handleEvent({ $event: { name: 'get-param-options', param: param } }).then(result => {
               const dynamicOptions = _.map(result, op => {
-                return op.value;
+                return _.escape(op.value);
               });
 
               // add current value to dropdown if it's not in dynamicOptions
               if (_.indexOf(dynamicOptions, part.params[paramIndex]) === -1) {
-                dynamicOptions.unshift(part.params[paramIndex]);
+                dynamicOptions.unshift(_.escape(part.params[paramIndex]));
               }
 
               callback(dynamicOptions);
@@ -129,6 +129,7 @@ export function sqlPartEditorDirective($compile, templateSrv) {
           minLength: 0,
           items: 1000,
           updater: value => {
+            value = _.unescape(value);
             if (value === part.params[paramIndex]) {
               clearTimeout(cancelBlur);
               $input.focus();

public/app/core/directives/metric_segment.ts

@@ -56,7 +56,7 @@ export function metricSegment($compile, $sce) {
             }
           } else if (segment.custom !== 'false') {
             segment.value = value;
-            segment.html = $sce.trustAsHtml(value);
+            segment.html = _.escape(value);
             segment.expandable = true;
             segment.fake = false;
           }
@@ -95,7 +95,7 @@ export function metricSegment($compile, $sce) {
             // add custom values
             if (segment.custom !== 'false') {
               if (!segment.fake && _.indexOf(options, segment.value) === -1) {
-                options.unshift(segment.value);
+                options.unshift(_.escape(segment.value));
               }
             }
 
@@ -105,6 +105,7 @@ export function metricSegment($compile, $sce) {
       };
 
       $scope.updater = value => {
+        value = _.unescape(value);
         if (value === segment.value) {
           clearTimeout(cancelBlur);
           $input.focus();
@@ -219,7 +220,7 @@ export function metricSegmentModel(uiSegmentSrv, $q) {
             cachedOptions = $scope.options;
             return $q.when(
               _.map($scope.options, option => {
-                return { value: option.text };
+                return { value: _.escape(option.text) };
               })
             );
           } else {
@@ -229,7 +230,7 @@ export function metricSegmentModel(uiSegmentSrv, $q) {
                 if (option.html) {
                   return option;
                 }
-                return { value: option.text };
+                return { value: _.escape(option.text) };
               });
             });
           }