rendered_markdown: Fix HTML injection bug in update_elements.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

web/src/rendered_markdown.ts

@@ -323,9 +323,13 @@ export const update_elements = ($content: JQuery): void => {
     // Display emoji (including realm emoji) as text if
     // user_settings.emojiset is 'text'.
     if (user_settings.emojiset === "text") {
-        $content.find(".emoji").replaceWith(function (): string {
+        $content
+            .find(".emoji")
+            .text(function () {
                 const text = $(this).attr("title");
                 return ":" + text + ":";
-        });
+            })
+            .contents()
+            .unwrap();
     }
 };

web/tests/rendered_markdown.test.js

@@ -467,10 +467,11 @@ run_test("emoji", () => {
     const $emoji = $.create("emoji-stub");
     $emoji.attr("title", "tada");
     let called = false;
-    $emoji.replaceWith = (f) => {
+    $emoji.text = (f) => {
         const text = f.call($emoji);
         assert.equal(":tada:", text);
         called = true;
+        return {contents: () => ({unwrap() {}})};
     };
     $content.set_find_results(".emoji", $emoji);
     user_settings.emojiset = "text";