When I create a select menu with options I use php’s htmlspecialchar() to escape the visible value of an option.
<option value="xxx"><?= htmlspecialchars('<script>alert("name")</script>') ?></option>
This is sufficient to prevent the execution of the js for the currently selected item, but the items in the drop down menu has the executable js code. So, as soon as the drop down with the menu options opens, the js code is executed. Any way to fix this?