Search results content HTML is not escaped (#22782)

Part of #1207

Author: Peter Bengtsson

lib/search/lunr-search.js

@@ -248,7 +248,7 @@ function field(matchData, record, name) {
   if (!positions.length) return text
 
   // Highlight the text
-  return positions
+  const highlighted = positions
     .map(([prev, start, end], i) => [
       text.slice(prev, start),
       mark(text.slice(start, end)),
@@ -257,6 +257,16 @@ function field(matchData, record, name) {
     .flat()
     .filter(Boolean)
     .join('')
+
+  // We can't HTML escape the content until AFTER all the matchData positions
+  // have been processed otherwise, the positions should shift.
+  // The only HTML that is OK to keep is <mark> and </mark>.
+  return highlighted
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/&lt;mark&gt;/g, '<mark>')
+    .replace(/&lt;\/mark&gt;/g, '</mark>')
 }
 
 function mark(text) {