escape user-entered content on search results page

- product_name and product_version come from user input, were vulnerable
  to XSS.
- We don't need to escape the product_name and product_version on the
  "hit" because they come from elastic search (and should presumedly
  already be "safe" content")
- [Fixes ##151375134]

spec/template_app/lib/search/handler_spec.rb

@@ -73,6 +73,32 @@ module Bookbinder::Search
 
         expect(html).to include('1 to 3 of 3')
       end
+
+      it 'properly escapes user input (product name and version)' do
+        allow(mock_client).to receive(:search) do
+          {
+            'hits' => {
+              'total' => 1,
+              'hits' => [
+                {
+                  '_source' => {
+                    'url' => 'hi.html',
+                    'title' => 'Hi'
+                  },
+                  'highlight' => {
+                    'text' => [' Im a highlight ']
+                  }
+                },
+              ]
+            }
+          }
+        end
+
+        result = handler.call('QUERY_STRING' => 'q=%3Cscript%3Ealert%28%22hi%22%29%3B%3C/script%3E&product_name=product_name=%3Cscript%3Ealert%28%22hi%22%29%3B%3C/script%3E&product_version=product_name=%3Cscript%3Ealert%28%22hi%22%29%3B%3C/script%3E')
+        html = result.last.first
+
+        expect(html).not_to include('<script>')
+      end
     end
 
     describe '#extract_query_params' do

template_app/search-results.html.erb

@@ -15,8 +15,8 @@ end
 
     <% unless product_name.nil? %>
       <h4 style="border: 1px solid #ccc; padding: 4px 20px;">
-        Filtering by: <%= product_name %>
-        <% unless product_version.nil? %>and <%= product_version %>
+        Filtering by: <%= escape_html product_name %>
+        <% unless product_version.nil? %>and <%= escape_html product_version %>
         <% end %>
       </h4>
     <% end %>