Reported by Jan Hutař of Red Hat.

Description of problem:
There is a possible XSS: Configure -> Global parameters - key name with HTML evaluated when auto-completing

How reproducible:
always

Steps to Reproduce:
1. In webUI go to Configure -> Global parameters -> New Parameter
2. Fill in this:
Name: test<script>alert('HI')</script>
Value: something
Click "Submit" to create the parameter
3. Note that parameter name is correctly escaped in the parameters list
4. In the search bar above the table with parameters type "name = "
and wait for auto-complete function to display you recommendations

Actual results:
Once the recommendations are displayed, JavaScript alert window appears (script gets executed)

Expected results:
Stuff should be escaped in the suggested list.

Additional info:
Same happens for "value" when you type "value = " into the search box.