filters: Escape State names when generating selector HTML

States with names containing special characters are not correctly escaped
when generating the select list. Use escape() to fix this.

Signed-off-by: Andrew Donnellan <[email protected]>

Author: ajdlinux

patchwork/filters.py

@@ -262,7 +262,7 @@ def form(self):
                 selected = ' selected="true"'
 
             out += '<option value="%d" %s>%s</option>' % (
-                state.id, selected, state.name)
+                state.id, selected, escape(state.name))
         out += '</select>'
         return mark_safe(out)