SECURITY: fix possible XSS expanding quotes

app/assets/javascripts/discourse/views/post.js.es6

@@ -145,11 +145,10 @@ const PostView = Discourse.GroupedView.extend(Ember.Evented, {
       topicId = parseInt(topicId, 10);
 
       Discourse.ajax("/posts/by_number/" + topicId + "/" + postId).then(function (result) {
-        // slightly double escape the cooked html to prevent jQuery from unescaping it
-        const escaped = result.cooked.replace(/&[^gla]/, "&");
-        const parsed = $(escaped);
-        parsed.replaceText(originalText, "<span class='highlighted'>" + originalText + "</span>");
-        $blockQuote.showHtml(parsed, 'fast', finished);
+        const div = $("<div class='expanded-quote'></div>");
+        div.html(result.cooked);
+        div.highlight(originalText, {caseSensitive: true, element: 'span', className: 'highlighted'});
+        $blockQuote.showHtml(div, 'fast', finished);
       });
     } else {
       // Hide expanded quote

app/assets/javascripts/vendor.js

@@ -22,7 +22,6 @@
 //= require div_resizer
 //= require caret_position
 //= require favcount.js
-//= require jquery.ba-replacetext.js
 //= require jquery.ba-resize.min.js
 //= require jquery.color.js
 //= require jquery.cookie.js