Fix #17583: XSS in projax_api.php

Offensive Security reported this issue via their bug bounty program [1].

The Projax library does not properly escape html strings.  An attacker
could take advantage of this to perform an XSS attack using the
profile/Platform field.

[1] http://www.offensive-security.com/bug-bounty-program/

Signed-off-by: Damien Regad <dregad@mantisbt.org>

core/projax_api.php

@@ -70,7 +70,7 @@ function projax_array_serialize_for_autocomplete( $p_array ) {
 	$t_matches = '<ul>';
 
 	foreach( $p_array as $t_entry ) {
-		$t_matches .= "<li>$t_entry</li>";
+		$t_matches .= '<li>' . string_attribute( $t_entry ) . '</li>';
 	}
 
 	$t_matches .= '</ul>';