Fixed missing escaping of HTML in search highlighting

material/base.html

@@ -196,7 +196,7 @@ <h1>{{ page.title | d(config.site_name, true)}}</h1>
         "base": base_url,
         "features": features,
         "translations": {},
-        "search": "assets/javascripts/workers/search.53c85856.min.js" | url,
+        "search": "assets/javascripts/workers/search.709b4209.min.js" | url,
         "version": config.extra.version or None
       } -%}
       {%- set translations = app.translations -%}
@@ -223,7 +223,7 @@ <h1>{{ page.title | d(config.site_name, true)}}</h1>
       </script>
     {% endblock %}
     {% block scripts %}
-      <script src="{{ 'assets/javascripts/bundle.716f8af4.min.js' | url }}"></script>
+      <script src="{{ 'assets/javascripts/bundle.2b46852b.min.js' | url }}"></script>
       {% for path in config["extra_javascript"] %}
         <script src="{{ path | url }}"></script>
       {% endfor %}

src/assets/javascripts/integrations/search/highlighter/index.ts

@@ -20,6 +20,8 @@
  * IN THE SOFTWARE.
  */
 
+import escapeHTML from "escape-html"
+
 import { SearchIndexConfig } from "../_"
 
 /* ----------------------------------------------------------------------------
@@ -77,7 +79,7 @@ export function setupSearchHighlighter(
     })`, "img")
 
     /* Highlight string value */
-    return value => value
+    return value => escapeHTML(value)
       .replace(match, highlight)
       .replace(/<\/mark>(\s+)<mark[^>]*>/img, "$1")
   }