Scrub search results from ES

This scrubs the HTML we display from ES to avoid script injection.

bower.json

@@ -21,7 +21,8 @@
     "knockout": "~3.3.0",
     "jquery.payment": "~1.3.0",
     "jquery-migrate": "~1.2.1",
-    "jquery-ui": "1.8.23"
+    "jquery-ui": "1.8.23",
+    "xss": "~0.3.1"
   },
   "resolutions": {
     "jquery": "2.0.3"

package.json

@@ -3,7 +3,9 @@
   "version": "0.0.1",
   "description": "Read the Docs build dependencies",
   "author": "Anthony Johnson <anthony@readthedocs.com>",
-  "dependencies": {},
+  "dependencies": {
+    "cssfilter": "0.0.8"
+  },
   "devDependencies": {
     "bower": "*",
     "bower-resolve": "^2.2.1",

readthedocs/core/static-src/core/js/doc-embed/search.js

@@ -2,7 +2,8 @@
  * Sphinx search overrides
  */
 
-var rtddata = require('./rtd-data');
+var rtddata = require('./rtd-data'),
+    xss = require('xss/lib/index');
 
 
 function init() {
@@ -62,7 +63,7 @@ function attach_elastic_search_query(data) {
                         }
                         if (highlight.content.length) {
                             var content = $('<div class="context">')
-                                .html(highlight.content[0]);
+                                .html(xss(highlight.content[0]));
                             content.find('em').addClass('highlighted');
                             list_item.append(content);
                         }