Fix #11933: XSS via project_id_filter_target (filter advanced view)

A project name containing malicious scripting code could be printed out
the browser directly without sanitisation in the filter advanced view
when selecting projects to filter by.

Note that to exploit this bug, a user must have access to create/modify
projects on a MantisBT installation. Normally these users are trusted
(or are the system administrators of the MantisBT installation) so this
attack vector is subsequently limited in severity.

core/filter_api.php

@@ -3354,7 +3354,7 @@ function <?php echo $t_js_toggle_func;?>() {
 					} else {
 						$t_first_flag = false;
 					}
-					$t_output = $t_output . $t_this_name;
+					$t_output = $t_output . string_display_line( $t_this_name );
 				}
 				echo $t_output;
 			}