Fixed JavaScript code block evaluation in search results

CHANGELOG

@@ -1,3 +1,7 @@
+mkdocs-material-3.x.x (2018-xx-xx)
+
+  * Fixed #906: JavaScript code blocks evaluated in search results
+
 mkdocs-material-3.0.5 (2018-10-23)
 
   * Added Croatian and Indonesian translations

material/base.html

@@ -177,7 +177,7 @@
       {% endblock %}
     </div>
     {% block scripts %}
-      <script src="{{ 'assets/javascripts/application.a26c1c19.js' | url }}"></script>
+      <script src="{{ 'assets/javascripts/application.627ea402.js' | url }}"></script>
       {% if lang.t("search.language") != "en" %}
         {% set languages = lang.t("search.language").split(",") %}
         {% if languages | length and languages[0] != "" %}

src/assets/javascripts/components/Material/Search/Result.jsx

@@ -27,6 +27,25 @@ import lunr from "expose-loader?lunr!lunr"
  * Functions
  * ------------------------------------------------------------------------- */
 
+/**
+ * Escape HTML strings
+ *
+ * Documentation may contain code JavaScript code snippets which would get
+ * executed when inserted into the DOM as plain HTML.
+ *
+ * See https://github.com/squidfunk/mkdocs-material/issues/906
+ *
+ * @param {string} html - HTML string
+ *
+ * @return {string} Escaped HTML string
+ */
+const escapeHTML = html => {
+  var text = document.createTextNode(html);
+  var p = document.createElement('p');
+  p.appendChild(text);
+  return p.innerHTML;
+}
+
 /**
  * Truncate a string after the given number of character
  *
@@ -138,6 +157,10 @@ export default class Result {
         this.docs_ = data.reduce((docs, doc) => {
           const [path, hash] = doc.location.split("#")
 
+          /* Escape HTML */
+          doc.title = escapeHTML(doc.title)
+          doc.text  = escapeHTML(doc.text)
+
           /* Associate section with parent document */
           if (hash) {
             doc.parent = docs.get(path)