Prevent Cross-site scripting

app/assets/javascripts/sdg/related_list_selector.js

@@ -12,7 +12,7 @@
 
         amsify_suggestags.getTag = function(value) {
           if (this.getItem(value) !== undefined) {
-            return this.getItem(value).display_text;
+            return $("<div>" + this.getItem(value).display_text + "</div>").text();
           } else {
             return value;
           }

spec/system/xss_spec.rb

@@ -76,6 +76,16 @@ describe "Cross-Site Scripting protection", :js do
     expect(page.text).not_to be_empty
   end
 
+  scenario "SDG identifier", :admin do
+    Setting["feature.sdg"] = true
+    Setting["sdg.process.proposals"] = true
+    I18nContent.create!(key: "sdg.related_list_selector.goal_identifier", value: attack_code)
+
+    visit sdg_management_edit_proposal_path(create(:proposal, sdg_goals: [SDG::Goal[1]]))
+
+    expect(page.text).not_to be_empty
+  end
+
   scenario "proposal actions in dashboard" do
     proposal = create(:proposal)