fix xss vulnerability when deleting labels

awx/ui/client/src/job-templates/labels/labelsList.directive.js

@@ -7,7 +7,8 @@ export default
         'ProcessErrors',
         'Prompt',
         '$q',
-        function(templateUrl, Wait, Rest, GetBasePath, ProcessErrors, Prompt, $q) {
+        '$filter',
+        function(templateUrl, Wait, Rest, GetBasePath, ProcessErrors, Prompt, $q, $filter) {
             return {
                 restrict: 'E',
                 scope: false,
@@ -65,7 +66,7 @@ export default
 
                         Prompt({
                             hdr: 'Remove Label from ' + templateName,
-                            body: '<div class="Prompt-bodyQuery">Confirm  the removal of the <span class="Prompt-emphasis">' + labelName + '</span> label.</div>',
+                            body: '<div class="Prompt-bodyQuery">Confirm  the removal of the <span class="Prompt-emphasis">' + $filter('sanitize')(labelName) + '</span> label.</div>',
                             action: action,
                             actionText: 'REMOVE'
                         });

awx/ui/client/src/shared/Utilities.js

@@ -608,8 +608,8 @@ angular.module('Utilities', ['RestServices', 'Utilities', 'sanitizeFilter'])
  * ]
  * ```
  */
-.factory('CreateSelect2', [
+.factory('CreateSelect2', ['$filter',
-    function () {
+    function ($filter) {
         return function (params) {
 
             var element = params.element,
@@ -641,6 +641,9 @@ angular.module('Utilities', ['RestServices', 'Utilities', 'sanitizeFilter'])
                     containerCssClass: 'Form-dropDown',
                     width: '100%',
                     minimumResultsForSearch: Infinity,
+                    escapeMarkup: function(m) {
+                        return $filter('sanitize')(m);
+                    }
                 };
 
                 // multiple-choice directive calls select2 but needs to do so without this custom adapter