Comment 2 for bug 394032

The specific problem mentioned here of the overlay firing the alert is in the lazr-js picker. Attaching a first pass at a patch, just to demonstrate the area of the code that needs looking at. However, I think the patch should be extended and the picker should be looked over carefully as I am sure there are other areas where createTextNode should be used to safely escape the json data being inserted.