Issue #2490420 by amateescu, larowlan, Berdir, dpi: EntityAutocomplete element settings allows sql injection and for arbitrary user-supplied data to be passed into unserialize()