fix(search-pad): prevent HTML injection

Given the apprioritate title and search text HTML injection was
possible until now.

lib/features/search-pad/SearchPad.js

@@ -11,6 +11,9 @@ import {
   getBBox as getBoundingBox
 } from '../../util/Elements';
 
+import {
+  escapeHTML
+} from '../../util/EscapeUtil';
 
 /**
  * Provides searching infrastructure
@@ -507,9 +510,9 @@ function createHtmlText(tokens) {
 
   tokens.forEach(function(t) {
     if (t.matched) {
-      htmlText += '<strong class="' + SearchPad.RESULT_HIGHLIGHT_CLASS + '">' + t.matched + '</strong>';
+      htmlText += '<strong class="' + SearchPad.RESULT_HIGHLIGHT_CLASS + '">' + escapeHTML(t.matched) + '</strong>';
     } else {
-      htmlText += t.normal;
+      htmlText += escapeHTML(t.normal);
     }
   });