Django TomSelect incomplete escaping of dangerous characters in widget attributes
User supplied values passed through to certain attributes in form widgets are not fully escaped for potentially dangerous tokens, and in some cases are rendered in browser as valid html tags.