Use a patched version of awesomplete...

which doesn't render suggestions as HTML.

See https://github.com/LeaVerou/awesomplete/pull/17082

CHANGES.md

@@ -1,6 +1,13 @@
 # Changelog
 
-## 3.1.0 ((2017-07-05))
+## 3.1.1 (Unreleased)
+
+- Use a patched version of [awesomplete](https://github.com/LeaVerou/awesomplete)
+  which doesn't render suggestions as HTML (possible XSS attack vector). [jcbrand]
+
+More info here: https://github.com/LeaVerou/awesomplete/pull/17082
+
+## 3.1.0 (2017-07-05)
 
 ### API changes
 - Deprecate the `updateSettings` method in favour of

package.json

@@ -33,7 +33,7 @@
   },
   "devDependencies": {
     "almond": "~0.3.3",
-    "awesomplete": "^1.1.1",
+    "awesomplete-avoid-xss": "^1.1.2",
     "backbone": "1.3.3",
     "backbone.browserStorage": "0.0.3",
     "backbone.overview": "0.0.3",

src/config.js

@@ -16,7 +16,7 @@ require.config({
     baseUrl: '.',
     paths: {
         "almond":                   "node_modules/almond/almond",
-        "awesomplete":              "node_modules/awesomplete/awesomplete",
+        "awesomplete":              "node_modules/awesomplete-avoid-xss/awesomplete",
         "backbone":                 "node_modules/backbone/backbone",
         "backbone.noconflict":      "src/backbone.noconflict",
         "backbone.browserStorage":  "node_modules/backbone.browserStorage/backbone.browserStorage",