Remove XSS vulnerability in Label and Milestone dropdowns

CHANGELOG

@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.6.7
   - Fix persistent XSS vulnerability in `commit_person_link` helper
+  - Fix persistent XSS vulnerability in Label and Milestone dropdowns
   - Fix vulnerability that made it possible to enumerate private projects belonging to group
 
 v 8.6.6

app/assets/javascripts/labels_select.js.coffee

@@ -126,7 +126,7 @@ class @LabelsSelect
           "<li>
             <a href='#' class='#{selected}'>
               #{color}
-              #{label.title}
+              #{_.escape(label.title)}
             </a>
           </li>"
         filterable: true

app/assets/javascripts/milestone_select.js.coffee

@@ -53,7 +53,7 @@ class @MilestoneSelect
             defaultLabel
         fieldName: $dropdown.data('field-name')
         text: (milestone) ->
-          milestone.title
+          _.escape(milestone.title)
         id: (milestone) ->
           if !useId
             milestone.name