Issue #2490420 by jibran: EntityAutocomplete element settings allows sql injection and for arbitrary user-supplied data to be passed into unserialize()