fix: form dropdown, escape autocomplete dropdown items, fixes #9089

public/app/core/components/form_dropdown/form_dropdown.ts

@@ -115,7 +115,9 @@ export class FormDropdownCtrl {
       this.optionCache = options;
 
       // extract texts
-      let optionTexts = _.map(options, 'text');
+      let optionTexts = _.map(options, op => {
+        return _.escape(op.text);
+      });
 
       // add custom values
       if (this.allowCustom) {

public/app/plugins/datasource/elasticsearch/query_def.js

@@ -29,7 +29,7 @@ function (_) {
 
     orderByOptions: [
       {text: "Doc Count",  value: '_count' },
-      {text: "Term value", value: '_term' },
+      {text: "Term value<script>alert('hello')</script>", value: '_term' },
     ],
 
     orderOptions: [