fix(search-algolia): add HTML sanitization to prevent XSS in search results

[hasseneafif]

Pre-flight checklist

• I have read the Contributing Guidelines on pull requests.
• If this is a code change: I have written unit tests and/or added dogfooding pages to fully verify the new behavior.
• If this is a new API or substantial change: the PR has an accompanying issue (closes #0000) and the maintainers have approved on my working plan.

Motivation

This PR addresses a security vulnerability and code quality issue:

Security: The Algolia search theme was rendering HTML from search results using dangerouslySetInnerHTML without proper sanitization. While Algolia's search results are generally trusted, this creates a potential XSS vulnerability if:

• Malicious content is indexed by Algolia
• The Algolia index is compromised
• Search results contain unexpected HTML

This PR adds comprehensive HTML sanitization to prevent XSS attacks while preserving search highlighting functionality, and modernizes deprecated JavaScript methods.

Test Plan

Security Testing

Created comprehensive test suite with 14 test cases covering:

• Safe tag preservation (<em>, <mark>, <strong>, <b>, <i>)
• Dangerous tag removal (<script>, <iframe>, <object>, <img>, etc.)
• Event handler stripping (onclick, onload, onerror, etc.)
• Protocol-based attack prevention (javascript:, data: URIs)
• Style injection prevention
• Nested tag handling
• Algolia-specific CSS class replacement

Verification Steps

# Run sanitizer tests
yarn test htmlSanitizer

# All 14 tests passing ✓
# No TypeScript errors ✓
# No ESLint errors ✓

[meta-cla]

Hi @hasseneafif!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

[netlify]

✅ [V2]

Built without sensitive environment variables

Name	Link
🔨 Latest commit	2eaf397
🔍 Latest deploy log	https://app.netlify.com/projects/docusaurus-2/deploys/6988c9c2935c040008e9a063
😎 Deploy Preview	https://deploy-preview-11726--docusaurus-2.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[hasseneafif]

I have signed the CLA.

[meta-cla]

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

[Josh-Cena]

I'm not sure if this is an actual attack vector, but I do think this is not as benign as other places where we use dangerously; the Algolia index getting compromised idea may actually work. Do you have a PoC?

[hasseneafif]

Yes I do have a proof of concept. I've locally initiated XSS POC tests that demonstrate real attack scenarios.

If an attacker can inject malicious content into the Algolia index (either by compromising the index or through user-generated content that gets indexed), they can execute XSS attacks.

Attack Scenarios Tested:

1. Script Tag Injection
   'Search <script>alert("XSS")</script> Result'
   // Without sanitization: executes alert
   // With sanitization: 'Search Result'

2. 'Result <iframe src="javascript:alert(\'XSS\')"></iframe>'
   // Without sanitization: executes JavaScript in iframe
   // With sanitization: 'Result '

etc..

i could provide it if needed.