escape html for external strings

src/tools/icon-utils.ts

@@ -7,6 +7,7 @@ import {
   isFileExcalidraw,
   warnDebug,
 } from './utils'
+import { escapeHTML } from './text-processing'
 
 export interface IconPacks {
   prefixToIconPack: { [prefix: string]: string }
@@ -133,7 +134,7 @@ export async function loadIconSVG(
 
   if (!prefix) {
     // No prefix, assume it's an emoji or text
-    return `<span class="omnisearch-result__icon--emoji">${name}</span>`
+    return `<span class="omnisearch-result__icon--emoji">${escapeHTML(name)}</span>`
   }
 
   const iconPackName = prefixToIconPack[prefix]

src/tools/text-processing.ts

@@ -78,15 +78,6 @@ export class TextProcessor {
     }
   }
 
-  escapeHTML(html: string): string {
-    return html
-      .replaceAll('&', '&')
-      .replaceAll('<', '&lt;')
-      .replaceAll('>', '&gt;')
-      .replaceAll('"', '&quot;')
-      .replaceAll("'", '&#039;')
-  }
-
   /**
    * Converts a list of strings to a list of words, using the \b word boundary.
    * Used to find excerpts in a note body, or select which words to highlight.
@@ -200,7 +191,7 @@ export class TextProcessor {
   }
 }
 
-function escapeHTML(html: string): string {
+export function escapeHTML(html: string): string {
   return html
     .replaceAll('&', '&amp;')
     .replaceAll('<', '&lt;')