Search highlighting does not properly escape HTML

[jbms]

Contribution guidelines

• I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... the problem doesn't occur with the mkdocs or readthedocs themes
• ... the problem persists when all overrides are removed, i.e. custom_dir, extra_javascript and extra_css
• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

Search highlighting obtains the textContent of nodes, applies replacements, and then adds it back as innerHTML.

Consequently, text that looks like HTML tags can get mangled.

Instead, escapeHTML(value) should be used prior to applying the replacements in src/assets/javascripts/integrations/search/highlighter/index.ts.

Example link:

https://squidfunk.github.io/mkdocs-material/customization/?h=your#additional-variables

Note that the the <!-- Add your additional information here --> text disappears when we add the ?h=your parameter.

Expected behaviour

n/a

Actual behaviour

n/a

Steps to reproduce

n/a

Package versions

mkdocs-material master as of 2021-07-28:

e29dfd0

Configuration

n/a

System information

n/a

[squidfunk]

Good catch! Fixed in 6744eb6.

[squidfunk]

Released as part of 7.2.2.