Fix render bug for HTML translations in the bulk adding view

Previously in case the translation strings contained HTML, the
HTML was not escaped in the bulk adding view.

Author: ahukkanen

app/assets/javascripts/decidim/term_customizer/admin/translations_admin.js.es6

@@ -32,8 +32,13 @@ $(() => {
       const re = new RegExp(`(${sanitizedSearch.split(" ").join("|")})`, "gi");
       const modelId = item[0];
       const title = item[1];
+      // The terms are already escaped but when they are rendered to a data
+      // attribute, they get unescaped when those values are used. The only
+      // character we need to replace is the ampersand
+      const value = title.replace(/&/g, "&");
+
       const val = `${title} - ${modelId}`;
-      return `<div class="autocomplete-suggestion" data-model-id="${modelId}" data-val="${title}">${val.replace(re, "<b>$1</b>")}</div>`;
+      return `<div class="autocomplete-suggestion" data-model-id="${modelId}" data-val="${value}">${val.replace(re, "<b>$1</b>")}</div>`;
     },
     onSelect: function(event, term, item) {
       const $suggestions = $search.data("sc");

app/controllers/decidim/term_customizer/admin/add_translations_controller.rb

@@ -41,7 +41,7 @@ def search
           translations = directory.translations_search(params[:term])
           translations.reject! { |k| reject_keys.include?(k) }
 
-          render json: translations.map { |k, v| [k, v] }
+          render json: translations.map { |k, v| [k, ERB::Util.html_escape(v)] }
         end
 
         private